Chat now with support
Chat with Support

One Identity Safeguard for Privileged Sessions 7.5 - Administration Guide

Preface Introduction The concepts of One Identity Safeguard for Privileged Sessions (SPS)
The philosophy of One Identity Safeguard for Privileged Sessions (SPS) Policies Credential Stores Plugin framework Indexing Supported protocols and client applications Modes of operation Connecting to a server through One Identity Safeguard for Privileged Sessions (SPS) Archive and backup concepts Maximizing the scope of auditing IPv6 in One Identity Safeguard for Privileged Sessions (SPS) SSH host keys Authenticating clients using public-key authentication in SSH The gateway authentication process Four-eyes authorization Network interfaces High Availability support in One Identity Safeguard for Privileged Sessions (SPS) Versions and releases of One Identity Safeguard for Privileged Sessions (SPS) Accessing and configuring One Identity Safeguard for Privileged Sessions (SPS)
Cloud deployment considerations The Welcome Wizard and the first login Basic settings
Supported web browsers The structure of the web interface Network settings Configuring date and time System logging, SNMP and e-mail alerts Configuring system monitoring on SPS Data and configuration backups Archiving Cleaning up audit data Using plugins Forwarding data to third-party systems Starling integration
User management and access control
Login settings Managing One Identity Safeguard for Privileged Sessions (SPS) users locally Setting password policies for local users Managing local user groups Managing One Identity Safeguard for Privileged Sessions (SPS) users from an LDAP database Authenticating users to a RADIUS server Authenticating users with X.509 certificates Authenticating users with SAML2 Managing user rights and usergroups Creating rules for restricting access to search audit data Displaying the privileges of users and user groups Listing and searching configuration changes
Managing One Identity Safeguard for Privileged Sessions (SPS)
Controlling One Identity Safeguard for Privileged Sessions (SPS): reboot, shutdown Managing One Identity Safeguard for Privileged Sessions (SPS) clusters Managing a High Availability One Identity Safeguard for Privileged Sessions (SPS) cluster Upgrading One Identity Safeguard for Privileged Sessions (SPS) Managing the One Identity Safeguard for Privileged Sessions (SPS) license Accessing the One Identity Safeguard for Privileged Sessions (SPS) console Sealed mode Out-of-band management of One Identity Safeguard for Privileged Sessions (SPS) Managing the certificates used on One Identity Safeguard for Privileged Sessions (SPS)
General connection settings HTTP-specific settings ICA-specific settings MSSQL-specific settings RDP-specific settings SSH-specific settings Using Sudo with SPS Telnet-specific settings VMware Horizon View connections VNC-specific settings Indexing audit trails Using the Search interface Advanced authentication and authorization techniques Reports The One Identity Safeguard for Privileged Sessions (SPS) REST API One Identity Safeguard for Privileged Sessions (SPS) scenarios Troubleshooting One Identity Safeguard for Privileged Sessions (SPS)
Network troubleshooting Gathering data about system problems Viewing logs on One Identity Safeguard for Privileged Sessions (SPS) Changing log verbosity level of One Identity Safeguard for Privileged Sessions (SPS) Collecting logs and system information for error reporting Collecting logs and system information of the boot process for error reporting Support hotfixes Status history and statistics Troubleshooting a One Identity Safeguard for Privileged Sessions (SPS) cluster Understanding One Identity Safeguard for Privileged Sessions (SPS) RAID status Restoring One Identity Safeguard for Privileged Sessions (SPS) configuration and data VNC is not working with TLS Configuring the IPMI from the BIOS after losing IPMI password Incomplete TSA response received Using UPN usernames in audited SSH connections
Using SPS with SPP Configuring external devices Using SCP with agent-forwarding Security checklist for configuring One Identity Safeguard for Privileged Sessions (SPS) Jumplists for in-product help Configuring SPS to use an LDAP backend Glossary

Disabling sealed mode

The event of disabling sealed mode is logged. The following describes how to disable sealed mode.

To disable sealed mode

  1. Go to the One Identity Safeguard for Privileged Sessions (SPS) appliance and access the local console.

  2. Log in as root.

  3. From the console menu, select Sealed mode > Disable

  4. Select Back to Main menu > Logout.

Out-of-band management of One Identity Safeguard for Privileged Sessions (SPS)

One Identity Safeguard for Privileged Sessions (SPS) 7.5 includes a dedicated out-of-band management interface conforming to the Intelligent Platform Management Interface (IPMI) v2.0 standards. The IPMI allows system administrators to monitor the system health of SPS and to manage the computer events remotely, independently of the operating system of SPS. SPS is accessible using the IPMI only if the IPMI is physically connected to the network.

NOTE: IPMI supports only 100 Mbps Full-Duplex speed.

Note that the IPMI supports only 100 Mbps Full-Duplex speed.

  • For details on connecting the IPMI, see Installing the SPS hardware in the Installation Guide.

  • For details on configuring the IPMI, see Configuring the IPMI from the console.

  • For details on using the IPMI to remotely monitor and manage SPS, see the following document:

    For Safeguard Sessions Appliance 4000, see the X12 H12 BMC User's Manual

Basic information about the IPMI is available also on the SPS web interface on the Basic Settings > High Availability page. The following information is displayed:

Figure 144: Basic Settings > High Availability — Information about the IPMI SPS

  • Hardware serial number: The unique serial number of the appliance.

  • IPMI IP address: The IP address of the IPMI.

  • IPMI subnet mask: The subnet mask of the IPMI.

  • IPMI default gateway: The address of the default gateway configured for the IPMI.

  • IPMI IP address source: Shows how the IPMI receives its IP address: dynamically from a DHCP server, or it uses a fixed static address.

Configuring the IPMI from the console

This section describes how you can modify the network configuration of IPMI from the console of One Identity Safeguard for Privileged Sessions (SPS).

Prerequisites

SPS is accessible using the IPMI only if the IPMI is physically connected to the network. For details on connecting the IPMI, see Installing the SPS hardware in the Installation Guide.

Caution:

IPMI searches for available network interfaces during boot. Make sure that IPMI is connected to the network through the dedicated Ethernet interface before SPS is powered on.

Caution: SECURITY HAZARD!

The IPMI, like all out-of-band management interfaces, has known vulnerabilities that One Identity cannot fix or have an effect on. To avoid security hazards, One Identity recommends that you only connect the IPMI to well-protected, separated management networks with restricted accessibility. Failing to do so may result in an unauthorized access to all data stored on the SPS appliance. Data on the appliance can be unencrypted or encrypted, and can include sensitive information, for example, passwords, decryption keys, private keys, and so on.

For more information, see Best Practices for managing servers with IPMI features enabled in Datacenters.

NOTE: The administrator of SPS must be authorized and able to access the IPMI for support and troubleshooting purposes in case vendor support is needed.

The following ports are used by the IPMI:

  • Port 22 (TCP): SSH (configurable)

  • Port 80 (TCP): Web (configurable)

  • Port 161 (UDP, TCP): SNMP (configurable)

  • Port 443 (TCP): Web SSL (configurable)

  • Port 623 (UDP): Virtual Media (configurable)

  • Port 5900 (TCP): IKVM Server (configurable)

  • Port 5985 (TCP): Wsman (configurable)

The SSH encrypted connection (port 22) works with the following properties:

Supported:

Safeguard Sessions Appliance 3000

Safeguard Sessions Appliance 3500

Ciphers

aes128-ctr, aes256-ctr

3des-cbc, aes128-ctr, aes128-cbc, aes256-ctr, aes256-cbc

KEX algorithm

curve25519-sha256, ecdh-sha2-nistp256, curve25519-sha256@libssh.org, ecdh-sha2-nistp384, diffie-hellman-group1-sha1, ecdh-sha2-nistp521, diffie-hellman-group14-sha1

curve25519-sha256, ecdh-sha2-nistp256, curve25519-sha256@libssh.org, ecdh-sha2-nistp384, diffie-hellman-group1-sha1, ecdh-sha2-nistp521, diffie-hellman-group14-sha1

MACs

hmac-sha1, hmac-sha2-256, hmac-sha1-96, hmac-sha2-512

hmac-md5, hmac-sha2-256, hmac-sha1, hmac-sha2-512, hmac-sha1-96

HostKey algorithms

ssh-rsa, ssh-dss

ssh-rsa, ssh-dss

Compression

enabled enabled

SSL-encrypted connections work with the following properties:

Supported:

Safeguard Sessions Appliance 3000

Safeguard Sessions Appliance 3500

TLSv1.2

enabled

enabled

TLS Fallback SCSV

supported

supported

Heartbleed

not vulnerable

not vulnerable

Server Ciphers

Preferred TLSv1.2 256 bits ECDHE-RSA-AES256-GCM-SHA384 Curve P-256 DHE 256

Accepted TLSv1.2 256 bits ECDHE-RSA-AES256-SHA384 Curve P-256 DHE 256

Accepted TLSv1.2 256 bits DHE-RSA-AES256-GCM-SHA384 DHE 2048 bits

Accepted TLSv1.2 256 bits DHE-RSA-AES256-SHA256 DHE 2048 bits

Accepted TLSv1.2 256 bits AES256-GCM-SHA384

Accepted TLSv1.2 256 bits AES256-SHA256

Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-GCM-SHA256 Curve P-256 DHE 256

Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-SHA256 Curve P-256 DHE 256

Accepted TLSv1.2 128 bits DHE-RSA-AES128-GCM-SHA256 DHE 2048 bits

Accepted TLSv1.2 128 bits DHE-RSA-AES128-SHA256 DHE 2048 bits

Accepted TLSv1.2 128 bits AES128-GCM-SHA256

Accepted TLSv1.2 128 bits AES128-SHA256

Preferred TLSv1.2 256 bits ECDHE-RSA-AES256-GCM-SHA384 Curve P-256 DHE 256

Accepted TLSv1.2 256 bits ECDHE-RSA-AES256-SHA384 Curve P-256 DHE 256

Accepted TLSv1.2 256 bits DHE-RSA-AES256-GCM-SHA384 DHE 2048 bits

Accepted TLSv1.2 256 bits DHE-RSA-AES256-SHA256 DHE 2048 bits

Accepted TLSv1.2 256 bits AES256-GCM-SHA384

Accepted TLSv1.2 256 bits AES256-SHA256

Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-GCM-SHA256 Curve P-256 DHE 256

Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-SHA256 Curve P-256 DHE 256

Accepted TLSv1.2 128 bits DHE-RSA-AES128-GCM-SHA256 DHE 2048 bits

Accepted TLSv1.2 128 bits DHE-RSA-AES128-SHA256 DHE 2048 bits

Accepted TLSv1.2 128 bits AES128-GCM-SHA256

Accepted TLSv1.2 128 bits AES128-SHA256

Server Key Exchange Groups

TLSv1.2 128 bits secp256r1 (NIST P-256)

TLSv1.2 128 bits secp256r1 (NIST P-256)

Server Signature Algorithms

TLSv1.2 Server accepts all signature algorithms.

TLSv1.2 Server accepts all signature algorithms.

To modify the network configuration of IPMI from the console of SPS

  1. Use the local console (or SSH) to log in to SPS as root.

  2. Choose Shells > Boot shell.

  3. Check the network configuration of the interface:

    # ipmitool lan print

    This guide assumes that channel 1 is used for LAN. If your setup differs, adjust the following commands accordingly.

  4. Configure the interface. You can use DHCP or configure a static IP address manually.

    Use an IPv4 address.

    • To use DHCP, enter the following command:

      # ipmitool lan set 1 ipsrc dhcp

    • To use static IP, enter the following command:

      # ipmitool lan set 1 ipsrc static

      Set the IP address:

      # ipmitool lan set 1 ipaddr <IPMI-IP>

      Set the netmask:

      # ipmitool lan set 1 netmask <IPMI-netmask>

      Set the IP address of the default gateway:

      # ipmitool lan set 1 defgw ipaddr <gateway-IP>

  5. Verify the network configuration of IPMI:

    # ipmitool lan print 1

    Use a browser to connect to the reported network address.

  6. Change the default password:

    1. Log in to the IPMI web interface using the default login credentials (username: ADMIN, password: ADMIN or changeme, depending on your hardware).

      NOTE: The login credentials are case sensitive.

    2. Navigate to Configure > Users.

    3. Select ADMIN, and choose Modify User.

    4. Change the password, and save the changes with Modify.

Configuring the IPMI from the BIOS

To configure IPMI from the BIOS when configuring your One Identity Safeguard for Privileged Sessions (SPS) physical appliance for the first time, complete the following steps.

Prerequisites

To apply the procedure outlined here, you will need physical access to a monitor and keyboard.

To configure the IPMI from the BIOS

  1. Press the DEL button when the POST screen comes up while the appliance is booting.

    Figure 145: POST screen during booting

  2. In the BIOS, navigate to the IPMI page.

  3. On the IPMI page, select BMC Network Configuration, and press Enter.

    Figure 146: IPMI page > BMC Network Configuration option

  4. On the BMC Network Configuration page, select Update IPMI LAN Configuration, press Enter, and select Yes.

    Figure 147: BMC Network Configuration page > Update IPMI LAN Configuration

  5. Stay on the BMC Network Configuration page, select Configuration Address Source, press Enter, and select Static.

    Figure 148: BMC Network Configuration page > Configuration Address Source

  6. Still on the BMC Network Configuration page, configure the Station IP Address, Subnet Mask, and Gateway IP Address individually.

    Figure 149: BMC Network Configuration page > Station IP Address, Subnet Mask, Gateway IP Address

  7. Press F4 to save the settings, and exit from the BIOS.

    About a minute later, you will be able to log in on the IPMI web interface.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating