One Identity Safeguard for Privileged Passwordsbacks up the following:
Safeguard for Privileged Passwords encrypts and signs the data before it makes it available for downloading to an off-appliance storage. Only a genuine Safeguard for Privileged Passwords Appliance can decrypt the backup after it is uploaded to the appliance. Backups downloaded from virtual appliances can only be uploaded and restored to a virtual appliance. Backups downloaded from hardware appliances can only be uploaded and restored to a hardware appliance. A hardware backup can be downloaded as virtual compatible once the hardware appliance has been authorized for VM Compatible Backups. A VM compatible backup can be uploaded and restored to a virtual appliance.
Archive servers are external physical servers where you store backup files and session recordings. Use the Archive Servers page on the Backup and Retention settings view to configure and manage archive servers.
You can configure an automatic backup schedule and specify which archive server will be used to automatically archive during a scheduled backup or when manually running a backup. For more information, see Backup settings.
For more information, see Archive backup.
To view and manage archive servers
- Navigate to Archive Servers settings:
- web client: Navigate to Backup and Retention | Archive Servers.
- desktop client: Administrative Tools | Settings | Backup and Retention | Archive Servers.
- The Archive Servers page displays the following information about previously configured archive servers.
- Name: The name of the archive server.
- Archive Method: The transfer protocol type being used.
- Network Address: The network DNS name or IP address used to connect to the server over the network.
- Storage Path: The file path where you want to store backup files on the archive server.
- Authentication Type: The type of authentication used to access the archive server, such as Password, Directory Account, or SSH Key.
- SSH Host Key Fingerprint: The fingerprint of the SSH key that Safeguard for Privileged Passwords uses to authenticate to the asset.
- Description: Information about the archive server.
- Use these tool bars buttons to perform operations.
Use the Archive Servers page on the Backup and Retention settings view to configure archive servers, which can then be selected to archive a backup file or assigned to an appliance to store its session recordings.
To configure an archive server
-
Go to archive servers settings:
- web client: Navigate to Backup and Retention | Archive Servers.
- desktop client: Administrative Tools | Settings | Backup and Retention | Archive Servers.
The labels in the desktop client are in a slightly different order.
-
Click Add and provide the following. (The desktop client items are in a slightly different order.)
- Enter the display Name for the archive server. Limit: 100 characters.
- Enter Description information about the archive server. Limit: 255 characters.
- For Archive Method, select a transfer protocol type:
- CIFS: Common Internet File System
- SCP: Secure Copy Protocol
- SFTP: Secure File Transfer Program
- For Network Address, enter a network DNS name or the IP address used to connect to the server over the network. Limit: 255 characters.
- If you select SCP or SFTP, enter the Port used by SSH to log in to the managed system. Not applicable for CIFS archive mode.
- For Storage Path, enter the file path where you want to store backup files on the archive server. Limit: 255 characters.
- For Authentication Type, select the type of authentication to be used to access the archive server:
- Password (default)
- Directory Account
- SSH Key (Available if an Archive Method of SCP or SFTP is selected.)
-
If Directory is the Authentication Type:
- Account Name: Click Browse (web client) or Select Account (desktop client) to select the service account to be used to access the archive server.
- If you selected the Archive Method of SCP or SFTP, you can select Auto Accept SSH Host Key to have Safeguard for Privileged Passwords automatically accept the SSH host key when it creates the archive server.
- If Password is the Authentication Type:
- For Account Name, you can do one of the following:
-
As an Appliance Administrator, if you also have Asset Administrator permission or are a Delegated Partition Owner, you can click Browse to select the service account to be used to access the archive server. If a Network Address was entered, you will see the managed accounts for the Network Address or no associated Network Address.
Once you select an account, a Reset button is available to clear the managed account selection and Network Address is set to the selected account's network address.
- Enter the Account Name instead of browsing for a managed account.
- Password: Enter the service account password.
- If you selected the Archive Method of SCP or SFTP, you can select Auto Accept SSH Host Key to have Safeguard for Privileged Passwords automatically accept the SSH host key when it creates the archive server.
-
If you selected the Archive Method of SCP or SFTP and selected SSH Key as the Authentication Type, proceed with these steps.
- For Account Name, you can do one of the following:
-
As an Appliance Administrator, if you also have Asset Administrator permission or are a Delegated Partition Owner, you can click Browse to select the service account to be used to access the archive server. If a Network Address was entered, you will see the managed accounts for the Network Address or no associated Network Address.
Once you select an account, a Reset button is available to clear the managed account selection and Network Address is set to the selected account's network address.
- Enter the Account Name instead of browsing for a managed account.
- Proceed based on the client you are using:
- web client: In SSH Key Generation and Deployment Settings, select one of the following settings based on the client you are using:
- desktop client: Select one of the following:
- Automatically Generate the SSH Key and do one of the following:
- Enter a Password.
- Select Manually Deploy the SSH Key check box. Auto Accept SSH Host Key, if desired.
-
Import and Manually Deploy the SSH Key
NOTE:Safeguard for Privileged Passwords does not currently manage the options for an authorized key. If an imported key has any options configured in the authorized keys file on the asset, these options will not be preserved when the key is rotated by Safeguard for Privileged Passwords.
-
Browse to locate the Private Key File.
-
On the Import SSH Key dialog, click Browse and locate the private key file. Enter a Password, if desired. A password is required if the private key is encrypted.
-
Click OK.
For either selection, optionally, select Auto Accept SSH Host Key. Optionally, select Auto Accept SSH Host Key. to have Safeguard for Privileged Passwords automatically accept the SSH host key when it creates the archive server.
-
Test Connection: Click this button to verify that the appliance can communicate with this archive server. For details, see:
- Click OK.
Once you have configured your archive servers, you need to designate a target archive for both your backup files and session recordings. For backup files, see Archive backup
Appliance Administrators can configure Safeguard for Privileged Passwords to perform weekly maintenance, audit log purge, and audit log archiving to a designated archive server. Archiving audit logs allows you to keep critical and relevant data online and current while eliminating or archiving audit logs that are no longer required.
The benefits of purging audit logs include smaller backups and less audit log data to stream when enrolling a new cluster member. It is recommended you store no more than six months of audit logs on your Safeguard appliance.
The default Audit Log Maintenance configuration is to synchronize data and audit logs only on Saturday at 12 a.m.
|
CAUTION: Audit Log Maintenance locks the cluster. The operations can take hours depending on the amount of audit log data on the appliance, the amount of data being archived/purged, and the network between the synchronizing nodes in the cluster. |
View Audit Log Maintenance settings
- While connected to the primary appliance, go to Audit Log Maintenance:
- web client: Navigate to Backup and Retention | Audit Log Maintenance.
- desktop client: Navigate to Administrative Tools | Settings | Backup and Retention | Audit Log Maintenance.
- If configured, the following displays:
- Archive (desktop client): The archive server, if required by the operation.
- Action: The action defined in Audit Log Maintenance.
- Schedule (web client): A description of the schedule, such as Every Saturday at 12:00 AM.
- Next Scheduled Maintenance: The next time the scheduled maintenance will run.
- Last Successful: The local time of the last successful Run or Archive/Purge.
- Last Failed: The local time of the last failed Run or Archive/Purge.
- Last Audit Log Sync: The local time of the last audit log synchronization.
- Last Data Sync: The local time of the last data synchronization.
Configure and schedule Audit Log Maintenance
To define and schedule Audit Log Maintenance, configure the following. For a cluster, configure the primary appliance. Each action will take some time to process. The cluster is locked during the process and other cluster operations cannot be performed. You can check progress in the Activity Center. See Monitoring the progress of Audit Log Maintenance.
- While connected to the primary appliance, go to Audit Log Maintenance:
- web client: Navigate to Backup and Retention | Audit Log Maintenance.
- desktop client: Navigate to Administrative Tools | Settings | Backup and Retention | Audit Log Maintenance.
-
Click Settings to configure Audit Log Maintenance .
- On the Audit Log Maintenance dialog, select an action:
- Set the schedule for Audit Log Maintenance to run:
- Select the Day of the week. The default is Saturday.
- Click Time select the Start Hour. The default is 12:00 a.m.
- Select the time zone. The default is Coordinated Universal Time (UTC).
- Click OK.
Monitoring the progress of Audit Log Maintenance
Audit Log Maintenance automatically runs the configuration settings and schedule you enter. You can also manually select to run Audit Log Maintenance. Check the results in the Activity Center based on the action. If you need to cancel the operation at any point, follow the steps in Cancel Audit Log Maintenance from the Audit Log Maintenance page
- Synchronize data and audit logs only (and not perform archive and delete):
- Processing and successful completion: Audit log maintenance synchronize has both a data and audit log sync component. These only do work in a cluster. At the beginning of the operation, the cluster is locked for "ensuring data consistency". This can be viewed on both the Audit Log Maintenance summary and in the Settings | Cluster Management.
The start of data synchronization is recorded with a SynchronizingDataStarted event. Upon completion, the SynchronizingDataCompleted event reports if all data was successfully synchronized or if only a portion completed. Next, the start of the audit log synchronization is recorded with the SynchronizingAuditLogStartedEvent. Upon completion, the SynchronizingAuditLogCompletedEvent will report if all audit logs were successfully synchronized or if only a portion complete.
In order to ensure every appliance has consistent data and audit logs, synchronize must successfully synchronize all data every week.
- Failed portions: If the complete events indicate not all sync was successful, the sync will trigger the following day at the configured start hour and retry failed portions.
- Synchronize after archiving and deleting audit logs older than __ days:
- Processing: Audit log archiving selects all the audit logs after the purge date to archive. At the beginning of the operation, the cluster is locked for Archiving and/or purging audit logs. Audit log maintenance will proceed with the purge only if the archive is successful. On each appliance, the purge operation will determine if there is data to purge. If so, the replicas will enter maintenance one at a time to purge the data. Each appliance should be in maintenance for less than five minutes. Once complete, the primary will purge while in maintenance. The cluster lock will be released. Audit log maintenance will now proceed to the synchronize operations as detailed in the bullet above.
- Successful: When the archive is successfully sent to the archive server, it will generate an ArchiveTaskSucceeded event. If purge is required and successful, it will generate the AuditLogPurged event. The cluster lock will be released and the SchedulerJobSucceeded event will mark the end of the archive/purge operations. Audit log maintenance will continue on to synchronize as detailed above.
- Failed: If the primary appliance is unable to archive the audit logs, there will be no ArchiveTaskSucceeded event and there will be no subsequent purge. The data will remain on all appliances. The archive/purge operation will complete with a SchedulerJobFailed event containing Job ID = core.AuditLogMaintenance. You can see the reason for the failure in the event. Audit log maintenance will continue on to synchronize as detailed above.
- Synchronize after deleting audit logs older than __ days:
- Processing: Audit log purging enumerates all the audit logs after the purge date to delete from each appliance in the cluster. The data cannot be recovered. At the beginning of the operation, the cluster is locked for Archiving and/or purging audit logs. On each appliance, the purge operation will determine if there is data to purge. If so, the replicas will enter maintenance one at a time to purge the data. Each appliance should be in maintenance for less than five minutes. Once complete, the primary will purge while in maintenance. The cluster lock will be released. Audit log maintenance will now proceed to the synchronize operations as detailed in the bullet above.
- Success: If purge is required and successful, it will generate the AuditLogPurged event. The cluster lock will be released and the SchedulerJobSucceeded event will mark the end of the archive/purge operations. Audit log maintenance will continue on to synchronize as detailed above.
- Failed: If the primary appliance is unable to delete the audit logs, the operation will complete with a SchedulerJobFailed event containing Job ID = core.AuditLogMaintenance. You can see the reason for the failure in the event. Audit log maintenance will continue on to synchronize as detailed above.
Manually run Audit Log Maintenance
You can manually run Audit Log Maintenance. The same operations detailed above based on the Audit Log Maintenance configuration execute. Each action will take some time to process. The cluster is locked during the process and other cluster operations cannot be performed. You can check progress in the Activity Center. See Monitoring the progress of Audit Log Maintenance.
- While connected to the primary appliance, go to Audit Log Maintenance:
- web client: Navigate to Backup and Retention | Audit Log Maintenance.
- desktop client: Navigate to Administrative Tools | Settings | Backup and Retention | Audit Log Maintenance.
- Click Settings to ensure the Audit Log Maintenance configuration is correct.
- Click Run Now to run Audit Log Maintenance as configured. You will be presented with a confirmation dialog box. How you proceed will depend on the action you selected:
- If the action is Synchronize data and audit logs only (and not perform archive and delete), the Synchronize Data and Audit Logs dialog box displays.
- If the action is Synchronize after archiving and deleting audit logs older than __ days, the Archive dialog box displays with the name of the archive server.
- If the action is Synchronize after deleting audit logs older than __ days, the Purge Audit Log dialog displays indicating that the audit log will be purged according to the retention policy (the number of days you entered). Purged audit logs cannot be recovered.
Cancel Audit Log Maintenance from the Audit Log Maintenance page
When Audit Log Maintenance is running, the cluster is locked and a Cancel button is available. When you click Cancel, you will be presented with an Unlock Cluster confirmation dialog. Enter Unlock Cluster and click OK. The cluster lock is released immediately, however you must monitor Activity Center as follows to ensure the operations are complete. For more information, see Monitoring the progress of Audit Log Maintenance.
- Synchronize data and audit logs only: When you cancel, the lock is release immediately, however you must monitor Activity Center for completion of the work. In the Activity Center, wait for the SynchronizingDataCompletedEvent then the SynchronizingAuditLogsCompletedEvent to appear before proceeding with other clustering operations to ensure all nodes in the cluster hold all of the audit data. Once canceled, the cluster will try and complete the audit log synchronization on the Audit Log Management Start Hour on the next day.
- Synchronize after archiving and deleting audit logs older than __ days: When you cancel, the lock is release immediately, however you must monitor Activity Center for completion of the work. If you elect to cancel while the cluster is locked for Archiving and/or purging audit logs, monitor Activity Center for the SchedulerJobSucceeded or SchedulerJobFailed event, containing Job Id = core.AuditLogMaintenance, indicating the archive/purge has completed. Audit Log Maintenance will continue to synchronize regardless. You will also need to cancel once you see the cluster is locked for Ensuring data consistency. Monitor the Activity Center for the SynchronizingAuditLogCompleted event indicating the operation completed. It is now safe to continue with your clustering operation.
- Synchronize after deleting audit logs older than __ days: When you cancel the lock is release immediately, however you must monitor Activity Center for completion of the work. If you elect to cancel while the cluster is locked for Archiving and/or purging audit logs, monitor Activity Center for the SchedulerJobSucceeded or SchedulerJobFailed event, containing Job Id = core.AuditLogMaintenance, indicating the archive/purge has completed. Audit Log Maintenance will continue to synchronize regardless. You will also need to cancel once you see the cluster is locked for Ensuring data consistency. Monitor the Activity Center for the SynchronizingAuditLogCompleted event indicating the operation completed. It is now safe to continue with your clustering operation.
To cancel Audit Log Maintenance from Cluster Management
You can also cancel Audit Log Maintenance from Cluster Management by unlocking the cluster with the following steps. For more information, see Unlocking a locked cluster.
- Go to Cluster Management:
- web client: Navigate to Backup and Retention | Audit Log Maintenance.
- desktop client: Navigate to Administrative Tools | Settings | Cluster | Cluster Management.
- On Cluster Management, a banner like the following displays: Archiving and/or purging audit logs and the Start Time displays. The message reminds you that the cluster is locked during the process and other cluster operations cannot be performed. The cluster will unlock automatically when the operation is complete.
- Click the lock icon in the upper right corner of the warning banner.
-
In the Unlock Cluster confirmation dialog, enter Unlock Cluster and click OK.
This will release the cluster lock that was placed on all of the appliances in the cluster and close the operation.
IMPORTANT: Care should be taken when unlocking a locked cluster. It should only be used when you are sure that one or more appliances in the cluster are offline and will not finish the current operation. If you force the cluster unlock, you may cause instability on an appliance, requiring a factory reset and possibly the need to rebuild the cluster. If you are unsure about the operation in progress, do NOT unlock the cluster.