Backup settings
You can configure an automatic backup schedule.
If you schedule a backup and a backup has already occurred for that interval (minute, hour, day, week, or month), another backup will not execute until the following minute, hour, day, week, or month. For example, if a backup has already occurred today and you set the backup schedule to run a daily backup, Safeguard for Privileged Passwords will not run the backup until tomorrow.
The backup schedule window end time must be after the start time.
Backup files to retain
In addition to completing the settings in the steps which follow, you can configure the maximum number of backup files you want Safeguard for Privileged Passwords to store on the appliance on the Safeguard Backup Retention page.
To configure the backup schedule
- Go to Safeguard Backup and Restore:
web client: Navigate to 
Settings | 
Backup and Retention | Safeguard Backup and Restore.
desktop client: Navigate to Administrative Tools | Settings | Backup and Retention | Safeguard Backup and Restore.
- Based on the client you are using, do one of the following:
- web client: Click
Settings.
- desktop client: Click Settings and select Backup Settings.
-
In the Backup Settings dialog, specify the backup schedule.
- Enter the schedule. (If you are using the desktop client, select the Backup Every check box to enter the schedule; if you deselect Backup Every, the details are lost.
-
Configure the following.
To specify the frequency without start and end times, select from the following controls. If you want to specify start and end times, go to the Use Time Window selection in this section.
Enter a frequency for Backup Every. Then, select a the time frame:
- Minutes: The job runs per the frequency of minutes you specify. For example, Every 30 Minutes runs the job every half hour over a 24-hour period. It is recommended you do not use the frequency of minutes except in unusual situations, such as testing.
-
Hours: The job runs per the minute setting you specify. For example, if it is 9 a.m. and you want to run the job every two hours at 15 minutes past the hour starting at 9:15 a.m., select Runs Every 2 Hours @ 15 minutes after the hour.
-
Days: The job runs on the frequency of days and the time you enter.
For example, Every 2 Days Starting @ 11:59:00 PM runs the job every other evening just before midnight.
-
Weeks The job runs per the frequency of weeks at the time and on the days you specify.
For example, Every 2 Weeks Starting @ 5:00:00 AM and Repeat on these days with MON, WED, FRI selected runs the job every other week at 5 a.m. on Monday, Wednesday, and Friday.
-
Months: The job runs on the frequency of months at the time and on the day you specify.
For example, If you select Every 2 Months Starting @ 1:00:00 AM along with First Saturday of the month, the job will run at 1 a.m. on the first Saturday of every other month.
-
Select Use Time Windows if you want to enter the Start and End time. You can click 
Add or 
Remove to control multiple time restrictions. Each time window must be at least one minute apart and not overlap.
For example, for a job to run every ten minutes every day from 10 p.m. to 2 a.m., enter these values:
Enter Every 10 Minutes and Use Time Windows:
If you have selected Days, Weeks, or Months, you will be able to select the number of times for the job to Repeat in the time window you enter.
For a job to run two times every other day at 10:30 am between the hours of 4 a.m. and 8 p.m., enter these values:
For days, enter Every 2 Days and set the Use Time Windows as Start 4:00:00 AM and End 20:00:00 PM and Repeat 2.
- (UTC) Coordinated Universal Time is the default time zone. Select a new time zone, if desired.
If the scheduler is unable to complete a task within the scheduled interval, when it finishes execution of the task, it is rescheduled for the next immediate interval.
- In Send to archive server, select an already configured archive server to store the backup files externally from the appliance during a scheduled backup or when manually running a backup. This option is only available if you have configured an archive server. For more information, see Adding an archive server. If you use the desktop client, you have to select the Send to archive server check box to make a selection.
- web client: You can select the Backup Protection settings. For more information, see Backup protection settings.
- Click OK to save your changes and leave the page. In the web client, you can click Apply to save your changes and stay on the page.
Backup protection settings
For maximum protection, set backup encryption on an appliance or on a primary appliance for cluster-wide protection. You may encrypt a Safeguard Backup File (.sgb) with one of the following methods:
Standard (default): No password or GPG key is required.
-
Password: You can enter any password value. You must have the password to restore the backup.
|
|
CAUTION: Make sure to save the password in a safe vault. There is no way to recover the password needed to restore the backup. |
-
GNU Privacy Guard (GPG) public key (RSA only): You can upload a .txt file with the public key and meta data or copy and paste the public key and meta data to Safeguard for Privileged Passwords. A backup file created with a GPG public key is encrypted when it is downloaded or archived. Only the private key holder can decrypt the backup file prior to the file being uploaded and restored. Once the private key holder decrypts the backup, the backup is the same as an unencrypted backup.
|
|
CAUTION: Make sure to save the GPG private key in a safe vault. There is no way to unencrypt the GPG protected file without the private key. |
Once set, future backups created manually or automatically are protected.
Safeguard for Privileged Passwords detects all attempted uploads of an invalid backup. If a backup is GNU Privacy Guard (GPG) encrypted, a message like the following displays: The uploaded file could not be validated as a genuine Safeguard backup image. It has been blocked from the appliance. An audit event is created for the failed backup load with the error reasons which include an invalid signature.
For details, see:
To configure backup protection
- If you will use GPG key protection, generate your public key file and create a .txt file to be uploaded or copy and pasted.
- Go to Safeguard Backup and Restore:
- web client: Navigate to Settings | Backup and Retention | Safeguard Backup and Restore. Then, click
Settings.
- desktop client: Navigate to Administrative Tools | Settings | Backup and Retention | Safeguard Backup and Restore. Then, click Settings then click Backup Protection Settings
- From the Backup Settings dialog, select the type of backup protection for the appliance. The settings on a primary appliance are replicated to the cluster. The settings are read-only on each cluster node.
- Appliance Protection Only: This is the default and includes no password or GPG Key protection of the backup.
- Add Password Protection: Once selected, enter the password in the Backup Password text box. If a password already exists, a static number of dots display. You can type in a new password in place of the existing password and then confirm the password. The password you type in is used for backups made from the time the password is set until it is changed. Make sure to keep the password information in a safe vault.
- Add GPG Key Protection: Once selected, do one of the following:
- Click Browse to upload the public key file from a .txt file you created earlier.
- Paste the public key information generated earlier into the text box.
When you navigate back to this dialog, you will see the name, fingerprint, and the detail to identify the public key file.
- Click OK.
Safeguard Backup Retention
Certificates settings
Use the Certificate settings to manage the certificates used to secure One Identity Safeguard for Privileged Passwords. The panes on this page display default certificates that can be replaced or user-supplied certificates that have been added to Safeguard for Privileged Passwords.
It is the responsibility of the Appliance Administrator to manage the Certificate Signing Requests (CSRs) used by Safeguard for Privileged Passwords.
Go to Certificates:
- web client: Navigate to Settings |
Certificates.
- desktop client: Navigate to Administrative Tools | Settings | Certificates.
Table 137: Certificates settings
|
Audit Log Signing Certificate |
Where you manage the audit log signing certificate used to validate audit logs stored on an archive server. When the audit log is exported, the log is signed with this certificate to ensure that it is legitimate and has not been tampered with after export. |
| Certificate Signing Request |
Where you can view and manage certificate signing requests (CSRs) that have been issued by Safeguard for Privileged Passwords. CSRs that may be created in Safeguard for Privileged Passwords include: Audit Log Signing Certificate, SMTP Client Certificate, SSL Certificates, or Syslog Client Certificates. |
|
SMTP Certificate |
Where you manage SMTP client certificates. |
| SSL/TLS Certificates |
Where you manage SSL/TLS certificates, including installing certificates or creating CSRs to enroll a public SSL/TLS certificate. This certificate is used to secure all HTTP traffic. |
|
Syslog Client Certificate |
Where you manage the syslog client certificate used to secure traffic between Safeguard for Privileged Passwords and the syslog server. |
| Trusted CA Certificates |
Where you add and manage certificates trusted by Safeguard for Privileged Passwordsand used to verify the chain of trust on certificates for various usages. For example , a trusted certificate may be your company's root Certificate Authority (CA) certificate or an intermediate certificate . |
