Launchers

Launcher is executable object, according to its type it can perform the required operations in the target system (start the browser, start RDP...), or after connecting via the Secret template and the created Connection it can start the application and log the user in using the stored credentials. Creating launchers differs by the type of the launcher and its use:

Launcher type Agent works by simulating user actions directly in a specific application. According to its settings, the agent initially launches the application and then proceeds to perform the defined steps as if the user were performing all the actions himself. There is possibility to define one agent for more platforms (macOS, WIN or Linux).

Launcher type Agent RDP is processed by directly opening the Remote desktop application, inserting the configured credentials and connecting the user to the configured remote desktop

Launcher type Agent SSH is processed by directly using the SSH protocol to secure connection with the web servers

This type od launcher allow user to authenticate 3 possible ways:

by username and password
by SSH key
by SSH key and password

Launcher type Guacamole is processed by directly using the guacamole configuration defined in the Integration part of ANT PAM settings. Guacamole allows the system to make a desktop PC, terminal server or any other server remotely accessible via the browser. This means that complex applications can be transferred to the browser of weaker PCs and used there.

ANT ID supports following types of guacamole launchers:

Guacamole TELNET
Guacamole VNC
Guacamole SSH
Guacamole RDP

Launcher type F5 - the launcher acts as a kind of proxy that provides authentication of the user's identity, obtains the token and then the credentials stored within the specific secret (identified via launcher mapping in the secret template level) Using the obtained credentials, it is then able to log the user into a system that does not directly support SSO (e.g. legacy system). There are two types of executions in the F5:

Autodiscovery - based on defined specifics the F5 ensures the token verification within the trustworthy identity provider then search for the specifics secret in the personal folder of the user to get credentials and finally use obtained credential to login user into the target system
Runnable - launcher is run directly from specific secret, so credentials are get immediately and F5 can directly use it to login in the target system. When F5 launcher is executed from secret's launcher, launcher page or connection, ANT ID generate random unique executionId and redirect user to defined endpoint with request parameter executionId={uuid}. F5 injector should skip user authentication for this endpoint because there is a timeout for credentials retrieval, instead I F5 should call this endpoint with execution id. Authentication and authorization has been already done in ANT PAM application

For Agent and Agent RDP/SSH type of launchers is neccessary to download and install Agent application on user's device.

For related privileges see Privileges and Permissions and for specific permissions for Launchers see Permission chapter.

Available actions for user with appropriate privileges:

Create launcher		Create new Launcher object - form for the launcher creation differs based on the type of tha launcher: Agent Agent RDP Agent SSH F5 Guacamole TELNET Guacamole VNC Guacamole SSH Guacamole RDP
Modify launcher		Modification is divided into more parts: modify launcher header - header is common for all types of launchers modify launcher specifics - valid for Agent and F5 types. Each type has own set of specifics modify launcher variables - variables section is common for all types of launchers
Run launcher		For execution of the launcher - Launcher will ask for values for variables and the perform the defined steps (in case of type Agent).
Deactivate		For active Launchers -> set the status to inactive
Enable		For inactive Launchers -> set the status to active
Filter		Filter active or inactive Launchers
Search		Opens the box to input the text to be searched
Display detail	[ click on the row ]	Open drawer with the detail of the Launcher

Available actions for user with appropriate privileges on the Permissions tab:

Edit permissions

[ option in context menu ]

Open form to adjust permissions on the Launcher

Available actions for user with appropriate privileges on the Logs tab:

Open log in the full page

[ option in context menu ]

Open tab with brief overview of activities done with the object. By use of context menu [ ] user can open the log into more detailed view.

Create Launcher type Agent

1	Click on the tab Launchers in ANT PAM settings section.
2	The list of existing Launchers will be displayed. Note: only objects where the user has relevant permissions are displayed.
3	Press the CREATE button [ ].
4	Insert the Name and Description of the launcher and select type Agent and press button CONTINUE
5	The next step of creation form is displayed
6	Select which platorm will use this agent launcher. Insert the name of the application and path to the executable file and platform. In case of more paths leading to the executable files, use button ADD MORE PATHS to display more input boxes. Note: in case of more platforms more application paths can be added to cover all platform needs.
7	Press button CONTINUE.
8	The step manager is displayed - on this step the user simulating activities are defined.
9	Insert Step name and Operation type - type defines the activity done by agent - each type of operation has own set of parameters: Click - the agent will search the screen for the specific place and perform mouse click. Identifier type: Text - define the place on the screen by string (e.g. Button2) Img - upload picture Type - the agent will search the screen for specific place and insert defined value. Identifier type: Text - define the place on the screen by string (e.g. Button2) Img - upload picture Value - value that will be inserted into the selected screen position (defined by identifier). Value inserted in ${VALUE} will be saved as the variable which could be replaced by other values within execution of the launcher. Find - the agent will search the screen for specific place within the defined time period and if the search is successful then continue to next step, if not then it will stop the execution of launcher. Identifier type: Text - define the place on the screen by string (e.g. Button2) Img - upload picture Sleep - the agent will just wait for defined time period Pyautogui hotkey - the agent performs defined hotkey (e.g. Ctrl+C, Tab...). Value - list of hotkeys that could be pressed Pyautogui press - the same like Pyautogui hotkey but only one button press is performed (e.g. Enter). Value - list of hotkeys that could be pressed Pyautogui typewrite - the agent will insert defined value (to the active element on the screen). Value - value that will be inserted into the selected screen position (defined by identifier). Value inserted in format ${VALUE} it will be saved as the variable which could be replaced within execution of the launcher.
10	Press SAVE STEP button to save the step to the step manager (and to possibility to define some conditions on the step - see below) Note: autosave function is activated for launchers in DRAFT state
11	In case that the step needs some condition to be validated, select the step in the Saved steps section and click on the button EDIT CONDITIONS to open the configuration modal window. There is possibility to define conditions for the step for specific platform. The following types of conditions can be configured: variables condition condition is based on the values represented by variables, so for example: the step is triggered when the variable Domain equals some value. When the condition is met the step will be executed, when the condition is not met the step will be skipped. step condition - valid only for steps type FIND, CLICK and TYPE condition is based on positive or negative execution of some previous step so for example: step is triggered when the application finds an object on the screen in one of the previous steps and vice versa.
11	Define Timeout (milisec) - definition of the time period within which the agent attempts to perform this operation.
12	Define if the step is Mandatory - if the step is mandatory and agent couldn't perform the operation within the defined time period the agent run ends.
13	Press the SAVE STEP button. Save button also saves the conditions configured in the step manager. Note: The autosave feature will save the launcher in the DRAFT status
14	The step is saved into the Saved steps overview on the right side of the form. If there is variable defined in any step, the variables are displayed (for information) in Detected variables section. Steps could be reorganized by drag&drop function [ ] or deleted [ ]. The icon of the relevant platform is displayed [ , , ] and also identification of some condition [ ]. If steps are finalized then press button CONTINUE.
15	The form for definition of variables is displayed
16	For every variable is possible to define following parameters: Variable name (mandatory value) - name of the variable Default value - default value in case that the value is e.g. recommended by the purpose of Launcher Mandatory variable - in case that the value is mandatory for proper run of the Launcher Variable description - optional description Define in mapping - in case that the variable has to be mapped on the secret template field in the Launcher mapping funtion on the Secret template. Sensitive - in case that the variable might contain sensitive value like password - the presentation of this variable will be obfuscated (by mask ***)
17	Press button SAVE.
18	The launcher will be saved and displayed in the list of Launcher. The status is set from DRAFT to ACTIVE.

Create Launcher type Agent RDP

1	Click on the tab Launchers in ANT PAM settings section.
2	The list of existing Launchers will be displayed. Note: only objects where the user has relevant permissions are displayed.
3	Press the CREATE button [ ].
4	Insert the Name and Description of the launcher and select type Agent RDP and press the button SAVE. Laucher type Agent RDP has automatically created following variables: Hostname Domain Username Password Port (with default value 3389)
5	The Launcher is created and displayed in the list of Lauchers.

Create Launcher type Agent SSH

1	Click on the tab Launchers in ANT PAM settings section.
2	The list of existing Launchers will be displayed. Note: only objects where the user has relevant permissions are displayed.
3	Press the CREATE button [ ].
4	Insert the Name and Description of the launcher and select type Agent SSH and press the button SAVE. Laucher type Agent SSH has automatically created following variables: Hostname SshPort (with default value 22) Username SshPassword SshKey SshKeyPassword
5	The Launcher is created and displayed in the list of Lauchers.

Create Launcher type F5

1	Click on the tab Launchers in ANT PAM settings section.
2	The list of existing Launchers will be displayed. Note: only objects where the user has relevant permissions are displayed.
3	Press the CREATE button [ ].
4	Insert the Name and Description of the launcher, select type F5 and press the CONTINUE button.
5	F5 work on different principle as agent type of launchers. There are two possibilities how launcher can get the credentials to use them within the authentication in the target system. Autodiscovery - define following parameters: Autodiscovery address - URL address for direct enter to the application from the secret level Issuer name - the identification of the trustworthy identity provider (e.g. redhatSSO specific url) Client ID - identification of the application that accepts tokens from the identity provider defined in the Issuer name Runnable - define direct URL address to call F5: Application address - the runnable launcher launches directly from the secret, so the saved credentials don't need to be looked up and F5 can use them to log in.
6	Press the button CONTINUE.
7	The page for configuration of Variables is displayed. For every variable is possible to define following parameters: Slug name (mandatory value) - unique name of the variable Variable name (mandatory value) - name of the variable Default value - default value in case that the value is e.g. recommended by the purpose of Launcher Mandatory variable - in case that the value is mandatory for proper run of the Launcher Variable description - optional description Define in mapping - in case that the variable has to be mapped on the secret template field in the Launcher mapping funtion on the Secret template.
8	Press button SAVE and the Launcher will be saved and displayed in the list.
	By mapping this Launcher into the chosen Secret template (in the Launcher mapping function) the F5 looks after Secrets based on that Secret template to get the credentials neccessary for the proper execution.

Create Launcher type Guacamole TELNET

1	Click on the tab Launchers in ANT PAM settings section.
2	The list of existing Launchers will be displayed. Note: only objects where the user has relevant permissions are displayed.
3	Press the CREATE button [ ].
4	Insert the Name and optionally Description of the launcher and select type Guacamole TELNET and press the button CONTINUE.
5	The next page with launch configuration is opened.
6	Select Gaucamole server - configured in the Integration section of ANT PAM settings - and configure following parameters: Record session - available only if configured within the guacamole server Clipboard disable copy - If set to “true”, text copied within the remote desktop session will not be accessible by the user at the browser side of the Guacamole session, and will be usable only within the remote desktop. This parameter is optional. By default, the user will be given access to the copied text. Clipboard disable paste - If set to “true”, text copied at the browser side of the Guacamole session will not be accessible within the remote ddesktop session. This parameter is optional. By default, the user will be able to paste data from outside the browser within the remote desktop session. keys with values - the list of keys - configuration of all possible keys could be seen on the official guacamole configuration page: https://guacamole.apache.org/doc/gug/configuring-guacamole.html user name regex - The regular expression to use when waiting for the username prompt. This parameter is optional. If not specified, a reasonable default built into Guacamole will be used. The regular expression must be written in the POSIX ERE dialect (the dialect typically used by egrep). password regex - The regular expression to use when waiting for the password prompt. This parameter is optional. If not specified, a reasonable default built into Guacamole will be used. The regular expression must be written in the POSIX ERE dialect (the dialect typically used by egrep). login success regex - The regular expression to use when detecting that the login attempt has succeeded. This parameter is optional. If specified, the terminal display will not be shown to the user until text matching this regular expression has been received from the telnet server. The regular expression must be written in the POSIX ERE dialect (the dialect typically used by egrep). login failure regex - The regular expression to use when detecting that the login attempt has failed. This parameter is optional. If specified, the connection will be closed with an explicit login failure error if text matching this regular expression has been received from the telnet server. The regular expression must be written in the POSIX ERE dialect (the dialect typically used by egrep).

Create Launcher type Guacamole VNC

1	Click on the tab Launchers in ANT PAM settings section.
2	The list of existing Launchers will be displayed. Note: only objects where the user has relevant permissions are displayed.
3	Press the CREATE button [ ].
4	Insert the Name and optionally Description of the launcher and select type Guacamole VNC and press the button CONTINUE.
5	The next page with launch configuration is opened.
6	Select Gaucamole server - configured in the Integration section of ANT PAM settings - and configure following parameters: Record session - available only if configured within the guacamole server Clipboard disable copy - If set to “true”, text copied within the remote desktop session will not be accessible by the user at the browser side of the Guacamole session, and will be usable only within the remote desktop. This parameter is optional. By default, the user will be given access to the copied text. Clipboard disable paste - If set to “true”, text copied at the browser side of the Guacamole session will not be accessible within the remote ddesktop session. This parameter is optional. By default, the user will be able to paste data from outside the browser within the remote desktop session. keys with values - the list of keys - configuration of all possible keys could be seen on the official guacamole configuration page: https://guacamole.apache.org/doc/gug/configuring-guacamole.html Allow proxied connection - Microsoft’s remote desktop server provides an additional gateway service which allows external connections to be forwarded to internal RDP servers which are otherwise not accessible. If you will be using Guacamole to connect through such a gateway, you will need to provide additional parameters describing the connection to that gateway, as well as any required credentials.

Create Launcher type Guacamole SSH

1	Click on the tab Launchers in ANT PAM settings section.
2	The list of existing Launchers will be displayed. Note: only objects where the user has relevant permissions are displayed.
3	Press the CREATE button [ ].
4	Insert the Name and optionally Description of the launcher and select type Guacamole SSH and press the button CONTINUE.
5	The next page with launch configuration is opened.
6	Select Gaucamole server - configured in the Integration section of ANT PAM settings - and configure following parameters: Record session - available only if configured within the guacamole server Clipboard disable copy - If set to “true”, text copied within the remote desktop session will not be accessible by the user at the browser side of the Guacamole session, and will be usable only within the remote desktop. This parameter is optional. By default, the user will be given access to the copied text. Clipboard disable paste - If set to “true”, text copied at the browser side of the Guacamole session will not be accessible within the remote ddesktop session. This parameter is optional. By default, the user will be able to paste data from outside the browser within the remote desktop session. keys with values - the list of keys - configuration of all possible keys could be seen on the official guacamole configuration page: https://guacamole.apache.org/doc/gug/configuring-guacamole.html Server keep alive interval - By default the SSH client does not send keepalive requests to the server. This parameter allows you to configure the the interval in seconds at which the client connection sends keepalive packets to the server. The default is 0, which disables sending the packets. The minimum value is 2.

Create Launcher type Guacamole RDP

1	Click on the tab Launchers in ANT PAM settings section.
2	The list of existing Launchers will be displayed. Note: only objects where the user has relevant permissions are displayed.
3	Press the CREATE button [ ].
4	Insert the Name and optionally Description of the launcher and select type Guacamole RDP and press the button CONTINUE.
5	The next page with launch configuration is opened.
6	Select Gaucamole server - configured in the Integration section of ANT PAM settings - and configure following parameters: Record session - available only if configured within the guacamole server Clipboard disable copy - If set to “true”, text copied within the remote desktop session will not be accessible by the user at the browser side of the Guacamole session, and will be usable only within the remote desktop. This parameter is optional. By default, the user will be given access to the copied text. Clipboard disable paste - If set to “true”, text copied at the browser side of the Guacamole session will not be accessible within the remote ddesktop session. This parameter is optional. By default, the user will be able to paste data from outside the browser within the remote desktop session. keys with values - the list of keys - configuration of all possible keys could be seen on the official guacamole configuration page: https://guacamole.apache.org/doc/gug/configuring-guacamole.html Allow proxied connection - Microsoft’s remote desktop server provides an additional gateway service which allows external connections to be forwarded to internal RDP servers which are otherwise not accessible. If you will be using Guacamole to connect through such a gateway, you will need to provide additional parameters describing the connection to that gateway, as well as any required credentials. Level of Security - ANY, NLA, NLA-EXT, TLS, VMCONNECT, RDP Ignore certificate - If set to “true”, the certificate returned by the server will be ignored, even if that certificate cannot be validated. This is useful if you universally trust the server and your connection to the server, and you know that the server’s certificate cannot be validated (for example, if it is self-signed). Normalize clipboard - The type of line ending normalization to apply to text within the clipboard, if any. By default, line ending normalization is not applied. Initial program - The full path to the program to run immediately upon connecting. This parameter is optional. server layout - The server-side keyboard layout. This is the layout of the RDP server and has nothing to do with the keyboard layout in use on the client. The Guacamole client is independent of keyboard layout. The RDP protocol, however, is not independent of keyboard layout, and Guacamole needs to know the keyboard layout of the server in order to send the proper keys when a user is typing.If your server’s keyboard layout is not yet supported, and it is not possible to set your server to use a supported layout, the failsafe layout may be used to force Unicode events to be used for all input, however beware that doing so may prevent keyboard shortcuts from working as expected.
7	When all configuration is done then press the CREATE button. The Launcher will be created and ready to use.

Modify Launcher header

1	Click on the tab Launchers in ANT PAM settings section.
2	The list of existing Launchers will be displayed. Note: only objects where the user has relevant permissions are displayed.
3	Mouse click on the row with desired launcher.
4	The drawer with the detail is displayed on the right side of the screen.
5	Use button [ ] on the top of the drawer to open the header of the launcher
6	The modal window is diplayed. Note: header modify form is common to all types of launchers.
7	Adjust Name or Description and press button UPDATE.
8	The changes will be saved and modal window will be closed.

Modify Launcher specifics

1	Click on the tab Launchers in ANT PAM settings section.
2	The list of existing Launchers will be displayed. Note: only objects where the user has relevant permissions are displayed.
3	Mouse click on chosen launcher and the drawer with the detail of the launcher will appear.
4	Go to the Specifics tab and press the MODIFY [ ] button.
5	The modal window displayed varies according to the type of Launcher: Agent - The first step of the modification process displays the Application name and Application path fields. After the CONTINUE button, the second step contains the step manager where all neccessary changes in this area could be done and the last screen contains configuration of variables. F5 - The first step of the modification process displays the screen with defining the type of F5 launcher - RUNNABLE and/or AUTODISCOVERY selection with relevant parameters Agent RDP - this type of launcher doesn't have Specifics tab.

Modify Launcher variables

1	Click on the tab Launchers in ANT PAM settings section.
2	The list of existing Launchers will be displayed. Note: only objects where the user has relevant permissions are displayed.
3	Mouse click on chosen launcher and the drawer with the detail of the launcher will appear.
4	Go to the Variables tab and press the MODIFY [ ] button.
5	The configuration page for variables is opened. For every variable is possible to define following parameters: Slug name (mandatory value) - unique name of the variable Variable name (mandatory value) - name of the variable Default value - default value in case that the value is e.g. recommended by the purpose of Launcher Mandatory variable - in case that the value is mandatory for proper run of the Launcher Variable description - optional description Define in mapping - in case that the variable has to be mapped on the secret template field in the Launcher mapping funtion on the Secret template.