立即与支持人员聊天
与支持团队交流

One Identity Safeguard for Privileged Passwords 7.2 - Administration Guide

Introduction System requirements and versions Using API and PowerShell tools Using the virtual appliance and web management console Cloud deployment considerations Setting up Safeguard for Privileged Passwords for the first time Using the web client Home Privileged access requests Appliance Management
Appliance Backup and Retention Certificates Cluster Enable or Disable Services External Integration Real-Time Reports Safeguard Access Appliance Management Settings
Asset Management
Account Automation Accounts Assets Partitions Discovery Profiles Tags Registered Connectors Custom platforms
Security Policy Management
Access Request Activity Account Groups Application to Application Cloud Assistant Asset Groups Entitlements Linked Accounts User Groups Security Policy Settings
User Management Reports Disaster recovery and clusters Administrator permissions Preparing systems for management Troubleshooting Frequently asked questions Appendix A: Safeguard ports Appendix B: SPP and SPS join guidance Appendix C: Regular Expressions About us

Manually control Offline Workflow Mode

The Appliance Administrator can manually control Offline Workflow Mode using the following steps. Manual intervention is possible when automatic Offline Workflow Mode is enabled. For more information, see Offline Workflow (automatic).

To manually enable Offline Workflow Mode

  1. Go to Cluster Management:

    • web client: Navigate to Cluster > Cluster Management
  2. In the cluster view (left pane) of the offline appliance, click the member of the cluster that is offline.
  3. In the appliance details and cluster health pane (right pane), review the errors and warnings to verify the appliance has lost consensus.

  4. On the offline appliance, click Enable Offline Workflow. (This option is only available when the appliance has lost consensus with the cluster.)

    A message like the following displays:

    This appliance will run access workflow in isolation from the cluster to work around loss of consensus with the cluster. Users will be able to request, approve and release passwords, SSH key, and sessions via this appliance using cached data. When connectivity is restored, you should resume online operations to reintegrate this appliance with the cluster and merge audit logs.

    Type 'Enable Offline Workflow' in the box below to confirm.

    See KB263580 for more information.

  5. In the dialog, type Enable Offline Workflow and click Enter. The appliance is in Offline Workflow Mode and enters maintenance. In the Activity Center, the Event for the appliance goes from Enable Offline Workflow Started to Enable Offline Workflow Completed.
  6. You can verify that new requests are enabled and view the following health checks on the Cluster Management window:
    • If there is communication to the other members in the cluster, while connected to the member in Offline Worflow mode, a message like this displays at the top of the messages: Cluster connectivity detected. When communication is reestablished, you can manually resume online operations to the appliance.
    • A warning icon displays next to an appliance in Offline Workflow Mode. An error icon is displayed if viewed from any other member in the cluster if the member is unable to communicate with the member in Offline Workflow Mode. At any time, you can click Check Health to update the information.
    • A warning message like the following will display: Request Workflow: Access workflow on this appliance is operating in offline isolation from the cluster. This warning will persist until online operations are resumed by an Appliance Administrator.

To manually resume online operations

Before resuming online operations, see Considerations to resume online operations.

  1. Go to Cluster Management:

    • web client: Navigate to Cluster > Cluster Management
  2. In the cluster view (left pane), click the member of the cluster that is offline.
  3. On the appliance in Offline Workflow Mode, click Resume Online Operations. (This operation is only available when the appliance is in Offline Workflow Mode.)

    A message like the following displays:

    The appliance will be reconfigured for online operations. The appliance will attempt to reintegrate with the cluster and merge audit logs. Refer to the to the Admin Guide for more information.

    Type 'Resume Online Operations' in the box below to confirm.

  4. In the dialog, type in Resume Online Operations and click Enter.
  5. When maintenance is complete, click Restart. The appliance is returned to Maintenance mode.
  6. You can verify health checks on the Cluster Management window. If a warning icon still displays next to the appliance, select the appliance and click Check Health to rerun the cluster health check and display the most up-to-date health information.

Failing over to a replica by promoting it to be the new primary

Safeguard for Privileged Passwords allows you to failover to a replica appliance by promoting it to be the new primary.

NOTE: You can promote a replica to be the new primary anytime the cluster has consensus (that is, the majority of the cluster nodes are online and able to communicate). If you have a quorum failure (that is, the majority of the cluster members do not achieve consensus), you must perform a cluster reset instead. For more information, see Resetting a cluster that has lost consensus.

To promote a replica to be the new primary in a cluster

  1. log in to a healthy cluster member as an Appliance Administrator.
  2. Go to Cluster Management:
    • web client: Navigate to Cluster > Cluster Management
  3. In the cluster view (left pane), select the replica node that is to become the new primary.
  4. Click Failover.
  5. In the Failover confirmation dialog, enter the word Failover and click OK to proceed.

    During the failover operation, all of the appliances in the cluster are placed in Maintenance mode.

    Once the failover operation completes, the selected replica appliance appears as the primary with a state of online. All other appliances (including the "old" primary) in the cluster appear as replicas with a state of online.

Activating a read-only appliance

Appliances that have been unjoined from a Safeguard for Privileged Passwords cluster or restored from a backup are placed in a Read-only mode.

You can activate an appliance in Read-only mode so you can add, delete, and modify data, apply access request workflow, and so on.

The appliance in Read-only mode must be online in order to use the Activate task. If it is offline or the cluster does not have consensus (that is, the majority of the remaining members are offline/unable to communicate), you must use the Cluster Reset option to rebuild your cluster. For more information, see Resetting a cluster that has lost consensus.

CAUTION: Activating an appliance that is in Read-Only mode will take it out of the Read-only state and enable password and SSH key check and change for managed accounts. Ensure that no other Safeguard for Privileged Passwords Appliance is actively monitoring these accounts, otherwise access to managed accounts could be lost.

To activate a read-only appliance

  1. Log in to the read-only appliance as an Appliance Administrator.
  2. Go to Cluster Management where the cluster view (on the left) displays one primary appliance with a yellow warning icon indicating the appliance is in a Read-only mode.

    • web client: Navigate to Cluster > Cluster Management
  3. In the cluster view (on the left), select the read-only node to be activated.
  4. Click Activate.
  5. In the Activate confirmation dialog, enter the word Activate and click OK to proceed.

    The appliance's node in the cluster view (on the left) no longer displays the yellow warning icon and the state is now Online.

Diagnosing a cluster member

The diagnostic tools are available to an Appliance Administrator or Operations Administrator for the currently connected appliance and any other appliances (replicas) in the cluster.

To run diagnostics on a clustered appliance

  1. Go to Cluster Management:
    • web client: Navigate to Cluster > Cluster Management
  2. From the cluster view (on the left) select the appliance to be diagnosed.
  3. Click Diagnose.

  4. Click Network Diagnostics.
  5. Choose the type of test to perform and complete the steps.

    • ARP: Use Address Resolution Protocol (ARP) to discover the Interface, Internet Address, Physical Address, and Type (dynamic or static).
    • Netstat: Use netstat to display the active connection protocol, local address, foreign address, and state.
    • NS Lookup: To obtain your domain name or IP address.
    • Ping: To verify your network connectivity and response time.
    • Show Routes: To retrieve routing table information.
    • Telnet: To access remote computers over TCP/IP networks like the internet.
    • Throughput: Test throughput to other appliances in the cluster.
    • Trace Route: To obtain your router information; trace route determines the paths packets take from one IP address to another.
相关文档

The document was helpful.

选择评级

I easily found the information I needed.

选择评级