Chat now with support
Chat mit Support

Safeguard for Privileged Passwords On Demand Hosted - Administration Guide

Introduction System requirements and versions Using API and PowerShell tools Using the virtual appliance and web management console Cloud deployment considerations Setting up Safeguard for Privileged Passwords for the first time Using the web client Getting started with the desktop client Using the desktop client Activity Center Search box Privileged access requests Toolbox Accounts Account Groups Assets
General/Properties tab (asset) Accounts tab (asset) Account Dependencies tab (asset) Owners tab (asset) Access Request Policies tab (asset) Asset Groups tab (asset) Discovered SSH Keys (asset) Discovered Services tab (asset) History tab (asset) Managing assets
Asset Groups Discovery Entitlements Linked Accounts Partitions Profiles Settings
Access Request settings Appliance settings Asset Management settings Tags Backup and Retention settings Certificates settings Cluster settings Enable or Disable Services settings External Integration settings Password Management settings Real-Time Reports Safeguard Access settings SSH Key Management settings Security Policy Settings
Users User Groups Disaster recovery and clusters Administrator permissions Preparing systems for management Troubleshooting Frequently asked questions Appendix A: Safeguard ports Appendix B: SPP 2.7 or later migration guidance Appendix C: SPP and SPS join guidance Appendix D: Regular Expressions About us

Operating System Licensing

Available on virtual machine only not via hardware.

It is the responsibility of the Appliance Administrator to ensure the operating system is configured. Operating system licensing is automatic in the AWS and Azure deployments.

Use the Operating System Licensing pane to view and configure the operating system of a virtual appliance.

  1. Navigate to Operating System Licensing:
    • web client: Navigate to Appliance | Operating System Licensing.
    • desktop client: Navigate to Administrative Tools | Settings | Appliance | Operating System Licensing.
  2. Click Refresh anytime to refresh the settings.
  3. The display shows if Windows is licensed with KMS or licensed with a product key. Click Details to see additional information.

SSH Algorithms

The Appliance Administrator has the option to configure SSH Algorithms, if necessary, to restrict the algorithms used when connecting to any SSH server. The settings are applied whenever Safeguard for Privileged Passwords connects to any SSH server, either to connect to an asset using SSH or to connect to an archive server using SSH.

When an SSH client connects to a server, each side of the connection offers four lists of algorithms to use as connection parameters to the other side. These are:

  • Public Key: The public key algorithms accepted for an SSH server to authenticate itself to an SSH client
  • Cipher: The ciphers to encrypt the connection
  • Kex: The key exchange methods that are used to generate per-connection keys
  • MAC: The message authentication codes used to detect traffic modification

By default, Safeguard for Privileged Passwords offers all supported algorithms when using SSH to connect to an archive server or asset. For each algorithm type, you can configure Safeguard to offer a subset of the supported algorithms. To return to the default (support all algorithms), delete all algorithm information entered then save the changes.

For a successful connection, there must be at least one mutually-supported choice for each parameter. Safeguard for Privileged Passwords may initiate an SSH connection to an asset or archive server and not be able to negotiate a mutually-acceptable algorithm. An error is reported and an attempt is made to identify the algorithm type that could not be negotiated. Some SSH servers do not provide enough information to identify the algorithm type.

To identify SSH algorithms

  1. Navigate to SSH Algorithms:
    • web client: Navigate to Appliance | SSH Algorithms.
    • desktop client: Navigate to Administrative Tools | Settings | Appliance | SSH Algorithms.
  2. Click Refresh anytime to refresh the settings.
  3. Enter a comma separated list of the algorithms you want in the text boxes. Leave the text box blank to allow all supported algorithms.
    • Public Key
    • Cipher
    • Kex
    • Mac
  4. Click OK (desktop client) or Save (web client).
Adjusting the preferred order of preference for public key algorithms

By default, the list of public key algorithms supported for host keys and available for identity keys is negotiated with the SSHD server in this order of preference:

  1. Ssh-ed25519,

  2. ecdsa-sha2-nistp256,

  3. ecdsa-sha2-nistp384,

  4. ecdsa-sha2-nistp521

  5. ssh-rsa

  6. rsa-sha2-256

  7. rsa-sha2-512

  8. ssh-dss

You can change the preferred order and/or restrict the available algorithms to a subset of this list by configuring the PublicKey list using the SshAlgorithms API.

Patch Updates

NOTE: In the desktop client this appears as Updates.

It is the responsibility of the Appliance Administrator to update or upgrade One Identity Safeguard for Privileged Passwords by installing an update file to modify the software or configuration of the running appliance. See the Download Software page for available SPP releases and version patches.

If an update fails, the audit log reflects: PatchUploadFailed.

Clustered environment

Apply the patch so all appliances in the cluster are on the same version. The procedure for patching cluster members depends on the Safeguard for Privileged Passwords version you are currently running.

  • If you are running Safeguard for Privileged Passwords 2.0.1.x or earlier, you must unjoin replica appliances, install the patch on each appliance, and then enroll the replica appliances to rebuild your cluster. For more information, see Patching cluster members in the One Identity Safeguard for Privileged Passwords 2.0 Administration Guide.
  • If you are running Safeguard for Privileged Passwords 2.1.x or 2.2.x, you can use the enhanced cluster patching feature where unjoining replica appliances is no longer required. For more information, see Patching cluster members.

To install an update file

IMPORTANT: Once you start a patch update, do not leave or refresh the page. Doing so will cause the browser to lose track of the patch update and you will have to restart the process.

  1. Back up your system before you install an update file. For more information, see Backup and Restore.

  2. Go to Patch Updates:
    • web client: Navigate to Appliance | Patch Updates.
    • desktop client: Navigate to Administrative Tools | Settings | Appliance | Updates.
  3. The current Appliance Version displays along with this information:
    • web client: The operating system level, whether the appliance is online or offline, and whether the appliance is the Primary.
    • desktop client: The operating system level, the desktop client version, and whether the appliance is online or offline.
  4. Click Upload a File and browse to select an update file. Simply uploading a file does not install the file. You must complete the next step.

    If the patch verification fails an error alert displays, click on any of the Error or Warning counts to view the errors or warnings currently logged.

  5. Once the file has successfully uploaded, click one of the following:
    • Install Now to install the update file. Respond to the confirmation dialog which includes any warnings. The install process begins and the appliance goes into maintenance mode.
      Once you install an update file, you cannot uninstall it. This button is disabled until the patch is distributed to all cluster members. If this is a single-appliance cluster distribution is not required.
    • Distribute to Cluster is disabled if there are errors. Click Distribute to Cluster to initiate the distribution of the patch to all cluster members. Clicking Cancel will stop distribution. Cluster Update Status blocks will be updated as each member receives the patch
    • Check Errors to initiate a check of pre-patch conditions. If the patch has not been distributed or if there was an error reported during validation this will only perform the check on the local appliance. If the patch has been distributed this will perform the check on all cluster members. The same warnings may be returned from each cluster member.
    • Remove is enabled when the patch is uploaded. Click Remove to remove (unstage) the patch from all cluster members.

    The Updates pane shows the upgrade progress and when the appliance has been successfully upgraded.

Power

The Appliance Administrator or Operations Administrator can power down or restart an appliance from the web client, desktop client, or directly from the appliance itself.

Caution: Rebooting the appliance causes a service outage for any current users.

web client

You can shut down or restart your appliance from the web client. The steps follow.

To shut down an appliance

  1. Navigate to Appliance | Power.
  2. Under Power, type a Reason for shutting down the Safeguard for Privileged Passwords Appliance then click Shut Down.
  3. To confirm your action, enter the words Shut Down in the box and click OK.
  4. The One Identity Safeguard for Privileged Passwords Appliance LCD screen displays LCD service terminating.

To start up an appliance

  1. Navigate to Appliance | Appliance Information
  2. Scroll to the bottom of the dialog. Under Power, type a Reason for restarting the Safeguard for Privileged Passwords Appliance then click Restart. The appliance goes into maintenance mode. The user is informed when the restart is complete.
  3. To confirm your action, enter the word Restart in the box and click OK.
  4. The One Identity Safeguard for Privileged Passwords Appliance LCD screens display the run level status of the appliance as it is starting up. For more information, see LCD status messages.
desktop client

You can shut down or restart your appliance from the desktop client.For information, see:

Appliance

You can shut down or restart your appliance from the appliance itself.


Appliance: Shut down from the appliance

You can use the Red X button on the front panel of the appliance to shut it down. Press and hold the Red X button for four seconds until it displays POWER OFF.

Caution: Once the Safeguard appliance is booted, DO NOT press and hold the Red X button for more than 13 seconds. This will hard power off the appliance and may result in damage.

Appliance: Restart from the appliance

After the appliance powers off, you will need physical access to start it. Press the Green check mark button on the front panel of the appliance for NO MORE than one second to power on the appliance.

Caution: Once the Safeguard appliance is booted, DO NOT press and hold the Green check mark button. Holding this button for four or more seconds will cold reset the power of the appliance and may result in damage.

Verwandte Dokumente

The document was helpful.

Bewertung auswählen

I easily found the information I needed.

Bewertung auswählen