See the following sections for more information on the PrivX microservices.
Nginx is an open source HTTP server and reverse proxy. It routes traffic from the public facing 443 and 80 ports to individual PrivX microservices. It also routes internal microservice TLS traffic. It also serves static files. All traffic is HTTPS apart from Windows Certificate Revocation List requests which in accordance with Microsoft implementation must be over HTTP port 80. All external and internal communication is through REST APIs.
The Authentication microservice authenticates clients and users to PrivX system via OAuth2. It will authenticate the requesting client either against the local user store or a specified remote user source such as an Active Directory, LDAP or Open ID Connect provider.
The Role Store integrates to both user providers (sources) (B) and to host directories (targets) (C & D). It essentially fetches users from remote sources (B) and maps the users to PrivX roles according to pre-defined rules or explicit role grants. Other microservices will query Role Store for user's roles on on-demand basis. The role store will also fetch target hosts from cloud providers (C & D) and push them to host store (9). Role Store keeps discovered users and mapped roles in-memory for fast access and resolving.
The User Store is a PrivX-specific user directory. By default, the initial administrator account is created into the user directory. The User Store allows PrivX to act as a standalone solution and it also allows the creation of temporary users which necessarily need not be created in a user directory upstream from PrivX.
The Workflow Engine allows users to request roles and for the approvers to grant or deny role requests. It will also push out email notifications to approvers.
The Monitor Service collects health data and audit events from PrivX microservices and associated extenders.
The Keyvault microservice stores all sensitive data within PrivX. The sensitive data includes, stored credentials, private keys and so forth.
The Host Store stores all locally added hosts as well as hosts discovered from cloud providers (C & D). It also keeps track of service, account and role mappings and the proxy microservices will check the host configuration from the host store before allowing access to a target host.
Authorizer creates the ephemeral certificates needed to access SSH and RDP target hosts via certificate authentication. It will also provide public keys and/or stored credentials from the keyvault to proxies for authentication.
The Connection Manager keeps track of all ongoing proxied connections to target hosts. The administrator can also terminate connections, or if the connection was audited, playback the audit trail from the trail storage (14).
SSH Proxy establishes SSH connections to target hosts. It will verify user's roles and check that the roles match the configuration found for the host from the host store. The PrivX UI will establish a websocket connection to the SSH Proxy for the VT100 terminal emulation. If the connection is audited, the SSH Proxy will create a trail file to trail storage (14) and also play it back on Connection Manager's (11) request. The proxy can connect to the target host directly or via the PrivX extender (18).
RDP proxy establishes RDP connections to target hosts. It will verify user's roles and check that the roles match the configuration found for the host from the host store. The PrivX UI will establish a websocket connection to the RDP Proxy desktop session. If the connection is audited, the RDP Proxy will create a trail file to trail storage (14) and also play it back on Connection Manager's (11) request. The proxy can connect to the target host directly or via the PrivX extender (18).
Audit Trail Storage
The audit trail storage is a directory on the PrivX host. Ideally, this directory would be mounted to a secure NAS/SAN solution.
The PrivX microservices write audit-, debug- and systemlogs to local syslog file. Rsyslog (or equivalent) should be configured to transfer the log files to an external SIEM solution (A).
PrivX uses PostgreSQL as the storage mechanism for configuration data such as role mappings as well as manually added users or hosts and discovered cloud hosts.
Redis is used as a notification mechanism between the microservices. No sensitive data is put in it, only timestamps.
PrivX Extender enables PrivX to reach firewalled private networks or virtual private clouds. Once deployed in the private network, it will establish a number of websocket connections to PrivX to route traffic from PrivX proxies to the target network.
PrivX Carrier provides a virtualized runtime environment via Docker for the Firefox containers used for Web Access.
PrivX Web Proxy
PrivX Web Proxy intercepts the traffic from the Firefox containers to the target hosts and provides secrets on the fly.