Installation and Implementation Guide

This document serves as a comprehensive guide for partners, technical stakeholders, and other professionals seeking to understand, implement, or optimize our solutions. It provides detailed information and best practices tailored for our two deployment models: on-premises and hybrid.

The content is designed to assist in planning, deploying, and maintaining these systems, ensuring seamless integration and operational efficiency. Whether you are a partner aiming to support end-users or a technical lead managing deployments, this document is crafted to address your needs and facilitate successful outcomes.

Requirements

To ensure a successful implementation of the Excalibur authentication system, the following prerequisites must be met. These requirements are designed to support high availability (HA), security, and seamless integration within your infrastructure.

Access Requirements

Administrator privileges are required on the application server to install and configure Excalibur.

Read and write permissions for target directories where the application and logs will be stored.

Single node deployment requirements

• CPU: 8 cores recommended for single node configurations.
• RAM: Minimum 16 GB
• Storage: Minimum 200 GB of available storage for installation, logs, application database and session recordings.
• Operating Systems: Linux, Ubuntu, CentOS, Red Hat, Docker Engine

High Availability deployment requirements

• CPU: 20 cores recommended for entire cluster in multi-node configurations.
• RAM: Minimum 24 GB
• Storage: Minimum 200 GB of available storage for installation and logs.
• Operating Systems: Linux based Kubernetes (including k3s) / OpenShift / OKD or Kubernetes as a Service (AKS, GKE, EKS)

Network Requirements for On-Premises Deployment

When deploying the Excalibur stack on-premises, certain external web services must be accessible to ensure full functionality. This document outlines the required endpoints, their purposes, and the impact of network restrictions.

External Endpoints Overview

The following table lists all external web services that the on-premises deployment may need to access:

Endpoint	Port	Purpose	Required	Impact if Unavailable
www.googleapis.com	443	Device integrity verification	Optional	Device integrity checks will fail if enabled in security policies
playintegrity.googleapis.com	443	Google Play Integrity API	Optional	Device integrity checks will fail if enabled in security policies
ca.xclbr.com	443	Excalibur Cloud CA Service	Required*	Cannot register deployment or manage users

* Required during initial deployment registration and user management operations only.

Google APIs Endpoints (Optional)

Purpose

• Service: Device Integrity Verification

• Endpoints:

  • www.googleapis.com:443
  • playintegrity.googleapis.com:443

Functionality

These endpoints are used to perform device integrity checks as part of the security policy framework. They validate that client devices connecting to the stack meet security requirements.

Configuration

Device integrity checks can be disabled in the security policies. When disabled, the stack will not attempt to communicate with these services.

Impact of Restrictions

• If access is blocked and device integrity checks are enabled: Authentication requests will fail for devices that cannot be verified.
• If access is blocked and device integrity checks are disabled: No impact on functionality.

Recommendation

For air-gapped or highly restricted environments, disable device integrity checks in the security policies to eliminate the dependency.

Architecture Overview

Excalibur offers a highly adaptable and scalable architecture designed to serve enterprises of any size. Its modular design enables organizations to scale their implementation as needed, starting with straightforward Docker-based configurations and evolving into full Kubernetes (including k3s) or OpenShift clusters. This flexibility ensures Excalibur effectively supports both small teams and large, globally distributed organizations.

Key Benefits:

• Rapid Deployment: Containerized architecture allows for immediate setup via Docker or Kubernetes.
• High Availability: Clustering capabilities through Kubernetes (including k3s) or OpenShift maximize resilience and uptime.
• Cloud-Native Compatibility: Seamless integration with major cloud providers facilitates hybrid and multi-cloud deployment strategies.
• Tenant Isolation: A robust multi-tenant model ensures isolated environments for every tenant, optimizing security and configurability.

Excalibur utilizes containerization to balance simplicity with power. Single-node deployments leverage Docker for speed and ease of use, while High Availability (HA) requirements are met through Kubernetes-based clusters (including k3s), providing the robustness needed for enterprise workloads.

Figure 1. Recommended Single Node Deployment Architecture

Figure 2. Recommended Hybrid Deployment Architecture

Supported Kubernetes Services for HA

To ensure operational simplicity and reliable scaling, Excalibur integrates natively with leading managed Kubernetes services:

• Azure Kubernetes Services (AKS)
• Google Kubernetes Engine (GKE)
• Amazon Elastic Kubernetes Services (EKS)

These platforms allow Excalibur to scale dynamically to meet changing business demands.

Kubernetes and OpenShift

For deployments requiring multi-tenancy, Kubernetes (including k3s) and OpenShift are the supported environments. Excalibur’s multi-tenant architecture is designed to leverage the power of these orchestration platforms. When a new tenant is created, Excalibur automatically provisions a new, isolated set of resources (such as pods and services) within the cluster, ensuring strict separation and security.

Docker, on the other hand, is utilized for simpler, single-tenant deployments. Because a Docker environment runs a pre-defined set of containers without the ability to dynamically spawn new, orchestrated resource sets, it is not suitable for Excalibur's multi-tenant model.

Excalibur ensures that organizations can choose the deployment model that best suits their specific use case.

Multi-tenancy and Application Flexibility

Excalibur’s multitenancy architecture ensures that each tenant operates within a dedicated user interface, isolating their data and processes for enhanced security and customization. Key features include:

• Dedicated Application Components: Each tenant utilizes its own set of selected application components, ensuring flexibility in deployment and configuration.
• Scalable Design: The platform is designed to grow alongside enterprise needs, allowing seamless onboarding of additional tenants without compromising performance or security.

Excalibur Tunnel Architecture overview

Figure 3.1. Overview

Figure 3.2. Authentication

Figure 3. Excalibur Tunnel overview

The Excalibur Tunnel Client is a key component of the Excalibur Tunnel technology, designed to securely connect local networks to the Excalibur Cloud. This enables seamless access to SAM (Streamed Access Management) resources hosted in local networks from the cloud-hosted Excalibur environment.

The Tunnel establishes a secure, reliable link using mutual TLS (mTLS) for both authentication and encryption, ensuring data integrity. Designed for ease of use by both developers and system administrators, the client offers a straightforward installation process without compromising on enterprise-grade security.

Key Takeaways

Excalibur’s strategic use of containerization and orchestration (Kubernetes, k3s, OpenShift) positions it as a premier solution for modern security infrastructure. Whether deploying a single node for a small team or a high-availability cluster for a global enterprise, Excalibur provides the necessary scalability and flexibility. By combining robust multi-tenancy with cloud-native technologies, Excalibur ensures your security infrastructure is future-proof.

Installation

Deploying Excalibur is a highly customizable process designed to adapt to your specific infrastructure, whether cloud-based, on-premises (Kubernetes, k3s, OpenShift), or hybrid. Before proceeding, ensure your environment meets compatibility requirements such as public DNS records, SSL certificates, and LDAP integrations.

To set up the environment, a few essentials are required. First, ensure you have obtained a GitHub Personal Access Token, which is required for accessing private repositories hosted on ghcr.io. Next, obtain the necessary manifests from Excalibur, whether for Docker, Kubernetes (including k3s), or OpenShift which define your application's configuration and deployment settings.

Kubernetes (SaaS)

Installing Helm

If you do not have Helm installed, run:

curl https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 | bash
# Or use your package manager, e.g.:
sudo apt update && sudo apt install helm

Verify installation:

helm version

Add the Excalibur Helm Repository

helm repo add xclbr https://helm.xclbr.com
helm repo update

Prepare the Configuration File based on the following example

# Administrator credentials for accessing the Excalibur dashboard (Grafana)
admin:
  email: 'admin@xclbr.com' # Email address for the admin user
  userName: 'admin' # Username for the admin user
  password: '<strong-password>' # Password for the admin user (choose a strong password)
# Password used to encrypt backups of your data
backup:
  repository:
    password: '<strong-password>' # Encryption password for backup repository
# Database settings for Excalibur
# Set the root password and choose the type of database deployment
# By default, a 3-node cluster is used for high availability
# You can switch to a single database instance for simpler setups
#  type: single                    # Uncomment to use a single database instance
#  type: cluster                   # Default: 3-node Galera cluster
database:
  password: '<strong-password>' # Root password for the database
  # type: single                  # (Optional) Use 'single' for a single MariaDB instance
# Ingress (external access) settings for Excalibur
# This section controls how users access Excalibur from outside the cluster.
# If you use cert-manager for automatic HTTPS certificates, keep the annotations and TLS settings.
# If not, you can remove or adjust these sections.
ingress:
  annotations:
    cert-manager.io/acme-challenge-type: http01 # Use HTTP-01 challenge for Let's Encrypt
    cert-manager.io/cluster-issuer: letsencrypt-production # Use the production issuer for certificates
  className: 'nginx' # Ingress controller class (usually 'nginx')
  hostName: excalibur.xclbr.com # Public hostname for Excalibur
  tls:
    enabled: true # Enable HTTPS (recommended)
    letsEncryptEnabled: true # Use Let's Encrypt for certificates
# Enable integrity check for Google Play
# If enabled, paste your private key for Google Play integration
# Set to false if not required
integrity_check:
  enabled: true
  private_key: |
    -----BEGIN PRIVATE KEY-----
    -----END PRIVATE KEY-----
# Enable proxy URL for internet access
# Comment out or set to an empty string if not required
# internet_proxy: 'http://proxy.example.com:8080'
# GitHub Container Registry settings
# Used to pull Excalibur images from GitHub's registry
# Provide a Personal Access Token (PAT) with the correct permissions
registry:
  token: '<github-PAT>' # GitHub PAT for registry access
# ServiceAccount settings for Kubernetes
# Controls which account Excalibur uses to run in the cluster
# Set 'create' to true to create a new account, or false to use an existing one
serviceAccount:
  create: true # Create a new ServiceAccount (recommended)
  name: excalibur # Name of the ServiceAccount
# (Optional) Advanced pod scheduling settings
# Use these to control which nodes Excalibur runs on, or to tolerate special node conditions
# By default, these are not set. Uncomment and adjust if needed.
# spec:
#   affinity: {}                                  # Node affinity rules
#   nodeSelector: {}                              # Node selection by label
#   tolerations: []                               # Tolerations for taints
# Storage class settings for persistent data
# 'standardClass' is used for general files, 'databaseClass' for database storage (faster disks)
storageClasses:
  standardClass: standard # Default storage class for general files
  databaseClass: standard # Storage class for database (can be different for performance)
# (Optional) Persistent volume sizes for Excalibur data
# Uncomment and adjust the sizes as needed for your deployment
# volumes:
#   backup-repository: '10Gi'                     # Size for backup storage
#   certificates: '10Mi'                          # Size for certificate storage
#   dashboard-static-files: '100Mi'               # Size for dashboard static files
#   database-data: '10Gi'                         # Size for database data
#   grafana-data: '100Mi'                         # Size for Grafana data
#   keystore: '10Mi'                              # Size for keystore
#   loki-data: '1Gi'                              # Size for Loki logs
#   pam-recordings: '5Gi'                         # Size for PAM recordings
#   prometheus-data: '1Gi'                        # Size for Prometheus data
#   shared-drive: '1Gi'                           # Size for shared drive
#   squid-spool: '100Mi'                          # Size for Squid cache
#   vitro-client-static-files: '1Gi'              # Size for Vitro client static files

Save it as .values.yaml and edit with your preferred editor to fit your environment:

vim .values.yaml

• Set administrator credentials, database passwords, and other required values.
• Review all comments in .values.yaml for guidance on each setting.

Install the Excalibur Application

Install Excalibur into your Kubernetes cluster. In the example below, the application name installed in your cluster is excalibur-v4 but you can choose any other name, or have the name generated automatically using --generate-name switch. The name of the repository xclbr and name of the application excalibur are given. Replace <namespace> and <version> as needed:

helm install excalibur-v4 xclbr/excalibur -f .values.yaml --namespace <namespace> --create-namespace --version <version>

• <namespace>: The Kubernetes namespace to use (e.g., excalibur)
• <version>: The chart version to install (see available versions with helm search repo xclbr --versions)

Upgrade or Update Excalibur

To upgrade to a new version or update your configuration:

helm repo update
helm search repo xclbr/excalibur --versions
helm upgrade excalibur-v4 xclbr/excalibur -f .values.yaml --namespace <namespace> --version <new-version>

Uninstall Excalibur

To remove Excalibur from your cluster:

helm uninstall excalibur-v4 --namespace <namespace>

Troubleshooting & Support

• For configuration details, see the comments in example.values.yaml.
• For advanced options, see the chart documentation in charts/excalibur-v4/README.md.
• If you encounter issues, contact your support representative or the Excalibur DevOps team.

Once all the commands have been executed, check the status of the pods to ensure the deployment is successful. All pods should show the Running status. Use the following command:

kubectl get pods -n <namespace>

If any pods are not running or show errors, inspect the logs and configurations to troubleshoot. This concludes the deployment process.

Open https://<your-instance-fqdn>/setup in a browser to access the application and continue with server setup.

Kubernetes (On-Premises)

Installing Helm

If you do not have Helm installed, run:

curl https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 | bash
# Or use your package manager, e.g.:
sudo apt update && sudo apt install helm

Verify installation:

helm version

Add the Excalibur Helm Repository

helm repo add xclbr https://helm.xclbr.com
helm repo update

Prepare the Configuration File based on the following example

# Administrator credentials for accessing the Excalibur dashboard (Grafana)
admin:
  email: 'admin@xclbr.com' # Email address for the admin user
  userName: 'admin' # Username for the admin user
  password: '<strong-password>' # Password for the admin user (choose a strong password)
# Password used to encrypt backups of your data
backup:
  repository:
    password: '<strong-password>' # Encryption password for backup repository
# Database settings for Excalibur
# Set the root password and choose the type of database deployment
# By default, a 3-node cluster is used for high availability
# You can switch to a single database instance for simpler setups
#  type: single                    # Uncomment to use a single database instance
#  type: cluster                   # Default: 3-node Galera cluster
database:
  password: '<strong-password>' # Root password for the database
  # type: single                  # (Optional) Use 'single' for a single MariaDB instance
# Ingress (external access) settings for Excalibur
# This section controls how users access Excalibur from outside the cluster.
# If you use cert-manager for automatic HTTPS certificates, keep the annotations and TLS settings.
# If not, you can remove or adjust these sections.
ingress:
  annotations:
    cert-manager.io/acme-challenge-type: http01 # Use HTTP-01 challenge for Let's Encrypt
    cert-manager.io/cluster-issuer: letsencrypt-production # Use the production issuer for certificates
  className: 'nginx' # Ingress controller class (usually 'nginx')
  hostName: excalibur.xclbr.com # Public hostname for Excalibur
  tls:
    enabled: true # Enable HTTPS (recommended)
    letsEncryptEnabled: true # Use Let's Encrypt for certificates
# Enable integrity check for Google Play
# If enabled, paste your private key for Google Play integration
# Set to false if not required
integrity_check:
  enabled: true
  private_key: |
    -----BEGIN PRIVATE KEY-----
    -----END PRIVATE KEY-----
# Enable proxy URL for internet access
# Comment out or set to an empty string if not required
# internet_proxy: 'http://proxy.example.com:8080'
# GitHub Container Registry settings
# Used to pull Excalibur images from GitHub's registry
# Provide a Personal Access Token (PAT) with the correct permissions
registry:
  token: '<github-PAT>' # GitHub PAT for registry access
# ServiceAccount settings for Kubernetes
# Controls which account Excalibur uses to run in the cluster
# Set 'create' to true to create a new account, or false to use an existing one
serviceAccount:
  create: true # Create a new ServiceAccount (recommended)
  name: excalibur # Name of the ServiceAccount
# (Optional) Advanced pod scheduling settings
# Use these to control which nodes Excalibur runs on, or to tolerate special node conditions
# By default, these are not set. Uncomment and adjust if needed.
# spec:
#   affinity: {}                                  # Node affinity rules
#   nodeSelector: {}                              # Node selection by label
#   tolerations: []                               # Tolerations for taints
# Storage class settings for persistent data
# 'standardClass' is used for general files, 'databaseClass' for database storage (faster disks)
storageClasses:
  standardClass: standard # Default storage class for general files
  databaseClass: standard # Storage class for database (can be different for performance)
# (Optional) Persistent volume sizes for Excalibur data
# Uncomment and adjust the sizes as needed for your deployment
# volumes:
#   backup-repository: '10Gi'                     # Size for backup storage
#   certificates: '10Mi'                          # Size for certificate storage
#   dashboard-static-files: '100Mi'               # Size for dashboard static files
#   database-data: '10Gi'                         # Size for database data
#   grafana-data: '100Mi'                         # Size for Grafana data
#   keystore: '10Mi'                              # Size for keystore
#   loki-data: '1Gi'                              # Size for Loki logs
#   pam-recordings: '5Gi'                         # Size for PAM recordings
#   prometheus-data: '1Gi'                        # Size for Prometheus data
#   shared-drive: '1Gi'                           # Size for shared drive
#   squid-spool: '100Mi'                          # Size for Squid cache
#   vitro-client-static-files: '1Gi'              # Size for Vitro client static files

Save it as .values.yaml and edit with your preferred editor to fit your environment:

vim .values.yaml

• Set administrator credentials, database passwords, and other required values.
• Review all comments in .values.yaml for guidance on each setting.

Install the Excalibur Application

Install Excalibur into your Kubernetes cluster. In the example below, the application name installed in your cluster is excalibur-v4 but you can choose any other name, or have the name generated automatically using --generate-name switch. The name of the repository xclbr and name of the application excalibur are given. Replace <namespace> and <version> as needed:

helm install excalibur-v4 xclbr/excalibur -f .values.yaml --namespace <namespace> --create-namespace --version <version>

• <namespace>: The Kubernetes namespace to use (e.g., excalibur)
• <version>: The chart version to install (see available versions with helm search repo xclbr --versions)

Upgrade or Update Excalibur

To upgrade to a new version or update your configuration:

helm repo update
helm search repo xclbr/excalibur --versions
helm upgrade excalibur-v4 xclbr/excalibur -f .values.yaml --namespace <namespace> --version <new-version>

Uninstall Excalibur

To remove Excalibur from your cluster:

helm uninstall excalibur-v4 --namespace <namespace>

Troubleshooting & Support

• For configuration details, see the comments in example.values.yaml.
• For advanced options, see the chart documentation in charts/excalibur-v4/README.md.
• If you encounter issues, contact your support representative or the Excalibur DevOps team.

Once all the commands have been executed, check the status of the pods to ensure the deployment is successful. All pods should show the Running status. Use the following command:

kubectl get pods -n <namespace>

If any pods are not running or show errors, inspect the logs and configurations to troubleshoot. This concludes the deployment process.

Open https://<your-instance-fqdn>/setup in a browser to access the application and continue with server setup.

Docker (On-Premises)

Authorization to the repository where Docker images are stored is required to pull the necessary images. Access is granted by logging into ghcr.io using valid credentials, ensuring that all required containers can be downloaded for deployment.

docker login --username excalibur-enterprise --password provided-token ghcr.io

Preparing the .env file is essential for configuring the environment. This file contains key variables that define system behavior and connectivity. Example configuration:

EXC_ADMIN_USER=admin
EXC_ADMIN_EMAIL=admin@acme.com
EXC_CORE_CA_URL=https://ca.xclbr.com
EXC_SERVER_HOSTNAME=dev.xclbr.com

These values ensure proper authentication, email configuration, and connection to core services. Adjust them as needed based on your specific environment.

After preparing the .env file, you can start the deployment process by running the Docker Compose command with the specified environment file and configuration. This command downloads the necessary images and starts the containers in detached mode:

docker compose --env-file .env --file <filename>.yml up --detach

To verify that the containers are running, use the following command:

docker ps

The server setup can be accessed locally. For public access, additional steps like setting up a load balancer or reverse proxy may be needed. These steps ensure secure and efficient access from outside your local network.

Initial Server Setup

Following installation, the Setup Guide walks you through the initial system configuration and the registration of the first System Administrator account.

Step 1: License Configuration

1. Log in to your instance at https://<your-fqdn>.

2. On the “Deployment Setup” screen, upload your license file (.lic) and/or enter the license key (format: AAAAA-BBBBB-CCCCC-DDDDD-EEEEE).

3. Click NEXT to validate and continue.

4. If validation fails, check your license key/file, network connectivity, and ensure the system time is correct.

Step 2: Server Setup (Dashboard URL)

1. Enter the fully-qualified domain name (FQDN) where the Dashboard (web UI) will be accessed (e.g., excalibur.company.com).

2. Confirm TLS/SSL settings (ensure certificate for that FQDN exists) if running in production.

3. Click NEXT to proceed.

Step 3: SMTP / Email Setup

Note

This step is optional—you may SKIP it and configure SMTP later in the Dashboard.

1. Configure your SMTP server details so that the system can send emails (invitations, notifications).

   • Sender email (FROM) address

   • SMTP host name, port, authentication (username/password) or TLS settings

   • Optionally: network settings, verification credentials

2. After entering details, click NEXT.

Step 4: Identity Store Configuration

Note

This step is optional—you may SKIP it and configure Identity Store later in the Dashboard.

Excalibur supports different Identity Stores for user authentication: Active Directory-based Identity Store, Microsoft Entra ID Identity Store, and Local Identity Store (Excalibur as Local Identity Store).

1. For connecting to Active Directory or LDAP Identity Store, refer to Create an AD-based Identity Stores. You’ll need:

   • Host/DNS name

   • Base DN

   • Bind DN and password

   • TLS/SSL settings if using LDAPS

   • The user account that will act as the first “System Administrator”.

   For connecting to Microsoft Entra ID, refer to Create a Microsoft Entra ID Identity Store. You’ll need:

   • Client ID
   • Client Secret
   • Tenant ID

   For Local Identity Store, refer to Create a Local Identity Store. No external configuration required.

2. Ensure network connectivity from the Excalibur instance to the identity store.

3. Click NEXT.

Step 5: System Administrator Registration

1. The identity store user you specified in the previous step will be registered as the first System Administrator.

2. On first login, the System Administrator must:

   • Log in via the web UI using their identity-store credentials

   • Launch the mobile app (for example, the Excalibur mobile token app) and register the device by scanning the QR code shown on screen

   • Set up any required push notifications, MFA factors (PIN, fingerprint, FaceID) as required.

3. Once this is complete, you’ll have full admin access and can proceed to configure the system.

Step 6: Post-Setup Verification

1. Send a test invitation to a user email and verify the email is delivered (if SMTP was configured).

2. Have the invited user complete registration via the mobile app and ensure login works correctly.

3. Verify that the Dashboard URL resolves correctly, TLS is valid, and the web UI is accessible from client devices.

4. For an on-premises or production deployment: verify that target systems (PAM targets) can be onboarded, connections succeed, and session recording or auditing (if used) functions correctly.

5. Monitor the cluster/pods (for Kubernetes) or containers (for Docker test) to ensure health/stability.

Step 7: Next Steps & Hardening

1. Define user roles and permissions (Administrator, Auditor, User) within the system.

2. Onboard further users, groups, and targets according to your organisation’s needs.

3. Configure access policies, PAM policies, audit settings, and logging.

4. Set up backup and disaster-recovery procedures, especially for on-premises deployments: database backups, session logs, etc.

5. For Kubernetes deployments: monitor resource usage, set up auto-scaling or high-availability if required, and plan updates/maintenance.

6. For SaaS or trial tenants: Understand the evaluation period (e.g., the 2-month dedicated tenant scenario) and plan go-live or migration accordingly.

Configuration and Integration

Target Systems Onboarding

Manage PAM Targets, including editing configurations, removing targets, and starting sessions. Access an overview of all PAM targets with basic and detailed configuration information. The detailed view provides additional information, such as a list of users with access to each PAM target, session recordings, and Typescript files.

Excalibur PAM considers all sessions "privileged" and recorded by default. Every action performed by the user is cryptographically signed to confirm that it was performed by an authenticated user. The effect is that there is a continuous match of every user action (because every user action and user PAM session is recorded and cryptographically signed) with a strongly multi-factor authenticated identity. There is no ability to delegate access or claim it was another user.

Figure 4.PAM: Targets

You can add targets in two ways: manually or by importing a CSV file.

Add PAM Target manually

With manual entry, you can input target details directly into the system, making it a convenient option for adding individual targets or making quick changes.

Figure 5.PAM: Add PAM target manually

Figure 6.PAM: Add RDP PAM Target

Import PAM Targets from CSV file

For bulk additions, the CSV import feature allows you to upload multiple targets at once. A CSV template is available for download, ensuring the correct format is used.

Figure 7.PAM: Import PAM Targets from CSV file

Figure 8.PAM: Download Template step 1

Figure 9.PAM: Download Template step 2

After downloading the template, fill in the necessary details, save the file in CSV format, and upload it through the import section. Once uploaded, review the data and confirm the import to finalize the process.

Make sure the CSV file follows the required structure to prevent any import errors.

Configure Active Directory Permissions for Password Reset

For Excalibur to handle user password changes (e.g., for expired passwords) and for the Password Rotation Policy to function, the LDAP service account requires specific permissions in Active Directory.

LDAPS is Required

One more important detail: the Identity Store must be configured to use the LDAPS protocol, because password reset functionality does not work using the plain text LDAP protocol.

The following guide describes how to configure these minimal permissions via the Active Directory Users and Computers Delegation of Control wizard.

Required Permissions

The user account that will reset the passwords will need at least the following permissions:

• Change password
• Reset password
• Read lockoutTime
• Write lockoutTime
• Read pwdLastSet
• Write pwdLastSet
• Read UserAccountControl
• Write UserAccountControl

Configuration Steps

1. Create a (default) user account that will be used to reset passwords for other user accounts. (In this example the account used is named 'ResetPassword').
2. In Active Directory Users and Computers, right-click on the Organizational Unit (OU) that holds the user accounts for whom the password needs to be reset and select Delegate Control....

3. In the wizard, add the User(s) or Group(s) that will need these additional permissions.

   

4. Click Next.

5. Select Create a custom task to delegate

   

6. Click Next.

7. Select Only the following objects in the folder, scroll to the bottom of the list, check User objects.

   

8. Click Next.

9. Select the General checkbox. In the list below, check the permissions:

   • Change password
   • Reset Password

   

10. Clear the General checkbox and select the Property-specific checkbox.

11. In the list, check the permissions:

    • Read lockoutTime
    • Write lockoutTime
    • Read pwdLastSet
    • Write pwdLastSet
    • Read UserAccountControl
    • Write UserAccountControl

    

12. Click Next, and then click Finish to complete the wizard.

Policy Configuration

Through Security Policies, administrators can specify which users are granted access to specific PAM Targets, thereby establishing clear and enforceable access controls. This capability is crucial for maintaining security and ensuring that sensitive resources are only accessible to authorized individuals.

Administrators have the ability to view existing policies, as well as edit, remove, or create new policies as required. This flexibility allows organizations to respond effectively to changing security needs and to implement best practices in access governance.

By utilizing the tools available in the "Security Policies" section, organizations can ensure that their access management framework is robust, compliant, and aligned with their security objectives.

Rule Sets

This section is dedicated to listing all Rule Sets associated with the Security Policy. Users can efficiently manage these Rule Sets from this interface, allowing for streamlined oversight and adjustments as needed. This functionality ensures that organizations can maintain effective access controls and adapt their security measures in alignment with evolving requirements.

Figure 10. Security Policies: Rule Sets

Network Policy

This section allows users to view all network policies linked to the system tenant. It provides a comprehensive overview of the policies in place, facilitating better understanding and management of network configurations associated with the tenant. The System Administrator can choose which networks PAM targets can be distributed to.

Figure 11. Network Policies: List of all network policies associated with system tenant

Mobile Token Deployment

The Excalibur mobile app serves as a security token for password-free authentication. It uses your mobile phone to verify authentication factors such as location, PIN code, fingerprint, Face ID, etc.

In order to use Excalibur, you must first install the Excalibur mobile app. The application is available for free in the Play Store and App Store. Store links are available on https://getexcalibur.com, as well as on the email registration screen.

Invitations

List of all invited users in the system and management of their invitations. From this screen, it is possible to add and invite new users from the Identity Store, to monitor the status of invited and related information, or delete existing ones. Invited users are immediately available in the users section in the dashboard for managing them - assigning them to groups, PAM resources, etc.

Figure 12. Invitations: List of invitations

From here, the administrator can perform the following actions

• Copy the invitation link to the clipboard
• Reinvite a user
• Delete an invitation

The administrator can also create a new invitation by clicking the "+" button in the bottom right corner. Then, select the Identity Store (refer to the Identity Store section for more details) where the user is located.

Figure 13. Invitations: Add invitation

Figure 14. Invitations: Choose Identity Store

Then, select a user and assign the appropriate role(s).

Figure 15. Invitations: Assign role(s) to the user

After making the selection, a notification will appear in the bottom left corner confirming that the invitation has been successfully sent.

Figure 16. Invitations: Successfully sent invitation

Roles

We cannot switch multitap roles. The person will always see the console with their highest role.

Administrator

Administrator Is the role with the highest privileges in an Excalibur system deployment. It is also the role of the first created and registered user. There must always be at least one System Administrator on the system. The System Administrator has access to the general settings of the entire deployment, as well as the creation and management of individual tenants and all roles. It has access to all tenants, including the System Tenant. In addition to these responsibilities, the System Administrator is also authorized to send invitations to new users, allowing them to join the system and access its features. This enables the System Administrator to manage user access and control the growth of the system's user base. The System Administrator's comprehensive privileges and capabilities make them the central authority for managing and maintaining the Excalibur system.

Auditor

This role is designed to provide oversight and transparency within the Excalibur system. This role is primarily focused on monitoring and reviewing activities without the ability to make any modifications or changes to the system settings or user configurations. Auditors have comprehensive visibility into all information, including user activities and system actions, ensuring that compliance and operational integrity are maintained. However, it is important to note that they do not possess the privileges to alter any configurations or settings within the application. This role is essential for organizations that require an independent review process to ensure adherence to policies and regulations while safeguarding the integrity of the system.

User

User is an Excalibur system end user role. The user has access only to the tenant environment to which it belongs and to the individual PAM resources assigned to the given user, or user group to which it belongs. This role provides limited access to the system, allowing users to perform tasks and access resources that are specifically assigned to them, while maintaining the security and integrity of the system. The User role is ideal for individuals who need to access specific resources and perform tasks within a controlled environment, without requiring administrative privileges.

Excalibur Tunnel Client

Overview

The Excalibur Tunnel Client creates an encrypted link between your local network and the Excalibur Cloud, giving you secure access to on-premises PAM resources. We support client for Linux (Debian/Ubuntu/Red Hat/CentOS) and Windows. To set it up:

• Install the Excalibur Tunnel Client on a machine inside your local network.
• Activate the tunnel to establish a secure connection to Excalibur Cloud.

For comprehensive documentation, please refer to:

• Excalibur Tunnel Client github repository
• Setup Tunnel in Excalibur Dashboard

Install Excalibur Tunnel Client

Prerequisites:

Before installing the Excalibur Tunnel Client, ensure your system meets the following requirements:

• Operating System: Linux (Debian/Ubuntu or Red Hat/CentOS) and Windows.
• Privileges: Administrative (sudo) privileges
• Network: Connectivity to the Excalibur Cloud
• Activation Code: Provided by Excalibur Enterprise

Installation:

For details instructions on installing, activating the connection, verifying the installation, deactivating the connection, uninstall the Excalibur Tunnel Client application, please visit Excalibur Tunnel Client github repository.

The user can also see the list of commands to run in the Tunnel Documentation from the Excalibur Dashboard. Here is an example of commands to run shown in the Dashboard:

Figure 17. Excalibur Tunnel Client: Commands to run in Dashboard

Excalibur Tunnel Client on command line:

Running Excalibur Tunnel Client in the command line with flag --help also shows some information about the possible parameters: sudo excalibur-tunnel --help

Figure 18. Running Excalibur Tunnel Client in the command line with flag --help

Validation and Testing

This section outlines how to test the key functionalities of the system to ensure that all components are working properly.

Verify Application Components

• Access the system’s dashboard via a supported browser and ensure the login page/main interface loads correctly with no broken links or missing elements.
• Navigate through sections to confirm responsiveness and accessibility.

Test Invitation Functionality

• Send a sample invitation from the Invitations tab to a test email address.
• Verify timely delivery, correct content, and that the link redirects to the correct registration page.

Check User Registration

• Complete a test registration using the invitation link or directly through the web interface.
• Confirm that the new user account is created and the system provides confirmation.

Test User Login

• Log in to the system with a valid account to ensure proper login functionality.

Test PAM Target Addition

• Add a new PAM target and confirm successful saving.
• Test connection to the target to ensure interaction is possible.

End-to-End System Test

• Perform a full cycle: invitation, registration, login, target addition, and interaction.
• Monitor system logs for errors or unexpected behavior.

By following these steps, you can ensure that the system is functioning correctly and that all components are working as intended. Document any issues encountered during testing for further investigation and resolution.

Maintenance and Upgrades

Backup

Excalibur’s application includes a built-in module that performs database backups several times per day. It keeps 8 last hourly backups and 7 daily backups. This module is capable of backing up the application database, call recordings, session data, and transferred session files. Backups can be stored locally or on a mounted network drive. Each backup is encrypted. It is recommended that these backups are protected and managed through the customer’s own backup solution for additional security.

Maintenance

The application supports log export via the Syslog protocol, allowing logs to be processed and analyzed by a central log management system or a Security Information and Event Management (SIEM) solution.

Upgrades

For on-premises deployments, upgrades follow the same procedures as installation. Update packages incorporate all necessary upgrade mechanisms including automatic database migration. Updated manifests are provided by Excalibur and must be applied by the customer. For cloud deployments, updates are managed by Excalibur.

Troubleshooting

When troubleshooting issues, it is crucial to identify the root cause and gather all relevant information. Review system logs from the application, operating system, and network components to pinpoint errors or unusual behavior. Collect logs that contain specific details about the problem, which will assist in diagnostics

Error Characteristics

When diagnosing an issue, consider the following components:

• User Role(s): The roles affected by the error and those that may be able to resolve it.
• Source Component: The component where the error originates.
• Destination Component: The component where the error is presented to the user.
• Action(s): The specific actions that trigger the error.

Error Categories

Errors in Excalibur can be classified into the following categories:

User Action Errors

• Description: Errors triggered by user actions, typically beginning on the Token.
• Source Component: Any component involved in the user’s action.
• Destination Component: Usually the Token where the action was initiated.

Administrative Action Errors

• Description: Errors triggered by administrative actions, mostly in the Dashboard but occasionally on the admin's Token.
• Source Component: Any component involved in the admin’s action.
• Destination Component: Typically the Dashboard or Token (if the action was token-based).

Excalibur System Errors

• Description: Errors triggered by internal issues within Excalibur’s components, networking, or platform interactions.
• Source Component: Internal Excalibur component actions, interactions, or configurations.
• Destination Component: These errors are logged on the server for review and generally cannot be resolved by the user.

Troubleshooting Steps

Identify the Type of Error

• Determine if the error is related to User Action, Administrative Action, or an Excalibur System Error.
• Review the Source Component and Destination Component to help pinpoint where the error originated and where it was presented.

Gather Relevant Information

• Review System Logs: Check the application, operating system, and network logs for any errors or unusual behavior.
• Look for Specific Details: Focus on logs that provide key information related to the issue.

Secure and Share Logs

• Protect Sensitive Data: If necessary, password-protect logs containing sensitive information before sharing.
• Provide Detailed Descriptions: Include a timeline of events and any relevant actions that may have led to the error. Share all logs and details with your partner or Excalibur’s support team for faster resolution.

Collaborate with Support

• Share the collected information with your partner or Excalibur’s technical team to help expedite the resolution process.
• Ensure that all required logs and context are included to facilitate quicker analysis.

Final Considerations

• System Errors: These are typically non-resolvable by users and are logged on the server for review by Excalibur support.
• Administrative Errors: If issues occur during installation or configuration, refer to the component-specific logs for direct error messages.