Web management console system requirements
Table 7: Web kiosk requirements
Web management console |
Desktop browsers:
- Apple Safari 13.1 for desktop (or later)
- Google Chrome 80 (or later)
- Microsoft Edge 80 (or later)
- Mozilla Firefox 69 (or later)
|
Platforms and versions follow.
Supported platforms
One Identity Safeguard for Privileged Passwords supports a variety of platforms, including custom platforms.
Safeguard for Privileged Passwords tested platforms
The following table lists the platforms and versions that have been tested for Safeguard for Privileged Passwords (SPP). Additional assets may be added to Safeguard for Privileged Passwords. If you do not see a particular platform listed when adding an asset, use the Other, Other Managed, or Other Linux selection on the Management tab of the Asset dialog. For more information, see Management tab (add asset).
SPP joined to SPS: Sessions platforms
When Safeguard for Privileged Passwords (SPP) is joined with a Safeguard for Privileged Sessions (SPS) appliance, platforms are supported that use one of these protocols:
• SPP 2.8 or lower: RDP, SSH
• SPP 2.9 or higher: RDP, SSH, or Telnet
Some platforms may support more than one protocol. For example, a Linux (or Linux variation) platform supports both SSH and Telnet protocols.
Supported platform updates
For all supported platforms, it is assumed that the latest updates are applied.
Table 8: Supported platforms: Assets that can be managed
ACF2 - Mainframe |
r14, r15 |
zSeries |
True |
True |
ACF2 - Mainframe LDAP |
r14, r15 |
zSeries |
True |
False |
Active Directory |
|
|
True |
False |
AIX |
6.1, 7.1, 7.2 |
PPC |
True |
True |
Amazon Linux |
2 |
x86_64 |
True |
True |
Amazon Web Services (AWS) |
1 |
|
True |
False |
CentOS Linux |
6
7 |
(ver 6) x86, x86_64
(ver 7) x86_64 |
True |
True |
Cisco ASA |
7.x, 8.x |
|
True |
True |
Cisco IOS |
12.X, 15.X |
|
True |
True |
Debian GNU/Linux |
6, 7, 8, 9 |
x86, x86_64, MIPS, PPC, zSeries |
True |
True |
Dell iDRAC |
7, 8 |
|
True |
True |
ESXi (VSphere) |
5.5, 6.0, 6.5, 6.7 |
|
True |
False |
F5 Big-IP |
12.1.2, 13.0, 14.0 |
|
True |
True |
Fedora |
21, 22, 23, 24, 25, 26, 27, 28, 29, 30 |
x86, x86_64 |
True |
True |
Fortinet FortiOS |
5.2, 5.6 |
|
True |
True |
FreeBSD |
10.4, 11.1, 11.2 |
x86, x86_64 |
True |
True |
HP iLO |
2, 3, 4 |
x86 |
True |
True |
HP iLO MP |
2, 3 |
IA-64 |
True |
True |
HP-UX |
11iv2 (B.11.23), 11iv3 (B.11.31) |
PA-RISC, IA-64 |
True |
True |
IBM i (formerly AS/400) |
7.1, 7.2, 7.3 |
PPC |
True |
True |
Junos - Juniper Networks |
12, 13, 14, 15 |
|
True |
True |
macOS |
10.9, 10.10, 10.11, 10.12, 10.13 |
x86_64 |
True |
True |
MongoDB |
3.4, 3.6, 4.0 |
|
True |
False |
MySQL |
5.6, 5.7 |
|
True |
False |
OpenLDAP |
2.4 |
|
True |
False |
Oracle |
11g Release 2, 12c Release 1 |
|
True |
False |
Oracle Linux (OEL) |
6
7 |
(ver 6) x86, x86_64
(ver 7) x86_64 |
True |
True |
Other |
|
|
False |
False |
Other Linux |
|
|
True |
True |
Other Managed |
|
|
True |
False |
PAN-OS |
6.0, 7.0, 8.0, 8.1 |
|
True |
True |
PostgreSQL |
9.6, 10.2, 10.3, 10.4, 10.5 |
|
True |
False |
RACF - Mainframe |
z/OS V2.1 Security Server, z/OS V2.2 Security Server |
zSeries |
True |
True |
RACF - Mainframe LDAP |
z/OS V2.1 Security Server, z/OS V2.2 Security Server |
zSeries |
True |
False |
Red Hat Enterprise Linux (RHEL) |
6, 7, 8 |
(ver 6) x86, x86_64, PPC, zSeries
(ver 7 and 8) x86, x86_64, PPC, zSeries |
True |
True |
SAP HANA |
2.0 |
Other |
True |
False |
SAP Netweaver Application Server |
7.3, 7.4, 7.5 |
|
True |
False |
Solaris |
10, 11 |
(ver 10) SPARC, x86, x86_64
(ver 11) SPARC, x86_64 |
True |
True |
SonicOS |
5.9, 6.2 |
|
True |
False |
SonicWALL SMA or CMS |
11.3.0 |
|
True |
False |
SQL Server |
2012, 2014, 2016, 2017, 2019 |
|
True |
False |
SUSE Linux Enterprise Server (SLES) |
11
12 |
(ver 11) x86, x86_64, PPC, zSeries, IA-64
(ver 12) x86_64, PPC, zSeries |
True |
True |
Sybase (Adaptive Server Enterprise) |
15.7, 16 |
|
True |
False |
Top Secret - Mainframe |
r14, r15 |
zSeries |
True |
True |
Top Secret - Mainframe LDAP |
r14, r15 |
zSeries |
True |
False |
Ubuntu |
14.04 LTS, 15.04, 15.10, 16.04 LTS, 16.10, 17.04, 17.10, 18.04 LTS, 18.10, 19.04 |
x86, x86_64 |
True |
True |
Windows |
Vista, 7, 8, 8.1, 10 Enterprise (including LTSC and loT). |
|
True |
True |
Windows Server |
2008, 2008 R2, 2012, 2012 R2, 2016, 2019 |
|
True |
True |
Windows SSH |
7, 8, 8.1, 10
Server 2008 R2, 2012, 2012 R2, 2016, 2019
Windows SSH Other |
|
True |
True |
Table 9: Supported platforms: Directories that can be searched
Microsoft Active Directory |
Windows 2008+ DFL/FFL |
OpenLDAP |
2.4 |
For all supported platforms, it is assume that you are applying the latest updates. For unpatched versions of supported platforms, Support will investigate and assist on a case by case basis but it may be necessary for you to upgrade the platform or use SPP's custom platform feature.
Custom platforms
The following example platform scripts are available:
- Custom HTTP
- Linux SSH
- Telnet
- TN3270 transports are available
For more information, see Custom platforms and Creating a custom platform script.
|
CAUTION: Facebook and Twitter functionality has been deprecated. Refer to the custom platform open source script provided on GitHub. Facebook and Twitter platforms will be remove in a future release. |
Sample custom platform scripts and command details are available at the following links available from the Safeguard Custom Platform Home wiki on GitHub:
|
CAUTION: Example scripts are provided for information only. Updates, error checking, and testing are required before using them in production. Safeguard for Privileged Passwords checks to ensure the values match the type of the property that include a string, boolean, integer, or password (which is called secret in the API scripts). Safeguard for Privileged Passwords cannot check the validity or system impact of values entered for custom platforms. |
Setting up the virtual appliance
The Appliance Administrator uses the initial setup wizard to give the virtual appliance a unique identity, license the underlying operating system, and configure the network. The initial setup wizard only needs to be run one time after the virtual appliance is first deployed, but you may run it again in the future. It will not modify the appliance identity if run in the future.
Once set up, the Appliance Administrator can change the appliance name, license, and networking information, but not the appliance identity (ApplianceID). The appliance must have a unique identity.
The steps for the Appliance Administrator to initially set up the virtual appliance follow.
Step 1: Make adequate resources available
The virtual appliances default deploy does not provide adequate resources. The minimum resources required are: 4 CPUs, 10GB RAM, and a 500GB disk. Without adequate disk space, the patch will fail and you will need to expand disk space then re-upload the patch.
Step 2: Deploy the VM
Deploy the virtual machine (VM) to your virtual infrastructure. The virtual appliance is in the InitialSetupRequired state.
Hyper-V zip file import and set up
If you are using Hyper-V, you will need the Safeguard Hyper-V zip file distributed by One Identity to setup the virtual appliance. Follow these steps to unzip the file and import:
-
Unzip the Safeguard-hyperv-prod... zip file.
-
From Hyper-V, click Options.
- Select Action, Import Virtual Machine.
-
On the Locate Folder tab, navigate to specify the folder containing the virtual machine to import then click Select Folder.
-
On the Locate Folder tab, click Next.
-
On the Select Virtual Machine tab, select Safeguard-hyperv-prod..., then click Next.
- On the Choose Import Type tab, select Copy the virtual machine (create a new unique ID), then click Next.
- On the Choose Destination tab, add the locations for the Virtual machine configuration folder, Checkpoint store, and Smart Paging folder, then click Next.
- On the Choose Storage Folders tab, identify Where do you want to store the imported virtual hard disks for this virtual machine? then click Next.
- Review the Summary tab, then click Finish.
- In the Settings, Add Hardware, connect to Safeguard's MGMT and X0 network adapter.
- Right click on the Safeguard-hyperv-prod... and click Connect... to complete the configuration and connect.
Step 3: Initial access
Initiate access using one of these methods:
- Via a virtual display: Connect to the virtual display of the virtual machine. You will not be offered the opportunity to apply a patch with this access method. Upload and download are not available from the virtual display. Continue to step 4. If you are using Hyper-V, make sure that Enhanced Session Mode is disabled for the display. See your Hyper-V documentation for details.
-
Via a browser: Configure the networking of your virtual infrastructure to proxy https://192.168.1.105 on the virtual appliance to an address accessible from your workstation then open a browser to that address. For instructions on how to do this, consult the documentation of your virtual infrastructure (for example, VMWare). You will be offered the opportunity to apply a patch with this access method. Upload and download are available from the browser. Continue to step 4.
IMPORTANT: After importing the OVA and before powering it on, check the VM to make sure it doesn't have a USB controller. If there is a USB controller, remove it.
Step 4: Complete initial setup
Click Begin Initial Setup. Once this step is complete, the appliance resumes in the Online state.
Step 5: Log in and configure Safeguard for Privileged Passwords
- If you are applying a patch, check your resources and expand the disk space, if necessary. The minimum resources are: 4 CPUs, 10GB RAM, and a 500GB disk.
- To log in, enter the following default credentials for the Bootstrap Administrator then click Log in.
- User Name: admin
-
Password: Admin123
- If you are using a browser connected via https://192.168.1.105, the Initial Setup pane identifies the current Safeguard version and offers the opportunity to apply a patch. Click Upload Patch to upload the patch to the current Safeguard version or click Skip. (This is not available when using the Safeguard Virtual Kiosk virtual display.)
- In the web management console on the Initial Setup pane, enter the following.
- Appliance Name: Enter the name of the virtual appliance.
- Windows Licensing: Select one of the following options:
-
Use KMS Server: If you leave this field blank, Safeguard will use DNS to locate the KMS Server automatically. For the KMS Server to be found, you will need to have defined the domain name in the DNS Suffixes.
If KMS is not registered with DNS, enter the network IP address of your KMS server.
-
Use Product Key: If selected, your appliance will need to be connected to the internet for the necessary verification to add your organization's Microsoft activation key.
You can update this information in Administrative Tools | Settings | Appliance | Operating System Licensing. For more information, see Operating system licensing.
- NTP: Complete the Network Time Protocol (NTP) configuration.
- Select Enable NTP to enable the protocol.
- Identify the Primary NTP Server IP address and, optionally, the Secondary NTP Server IP address.
- Network (X0): For the X0 (public) interface, enter the IPv4 and/or IPv6 information, and DNS Servers information.
- Click Save. The virtual appliance displays progress information as it configures Safeguard, the network adapter(s), and the operating system licensing.
- When you see the message Maintenance is complete, click Continue.
Step 6: Access the desktop client or use the web client
You can go to the virtual appliance's IP address for the X0 (public) interface from your browser:
Step 7: Change the Bootstrap Administrator's password
For security reasons, change the password on the Bootstrap Administrator User. For more information, see Setting a local user's password.
View or change the virtual appliance setup
You can view or change the virtual appliance setup.
- From the web management console, click Home to see the virtual appliance name, licensing, and networking information.
- After the first setup, Safeguard for Privileged Passwords updates and networking changes can be made via the web management console by clicking Setup.
License: hardware, virtual, expiration
One Identity Safeguard for Privileged Passwords is made up of a core set of features, such as the UI and Web Services layers, and a number of modules.
Hardware appliance
The One Identity Safeguard for Privileged Passwords 3000 Appliance and 2000 Appliance ship with the following module which requires a valid license to enable functionality:
You must install a valid license for each Safeguard for Privileged Passwords module to operate. More specifically, if any module is installed, Safeguard for Privileged Passwords will show a license state of Licensed and is operational. However, depending on which models are licensed, you will see limited functionality. That is, even though you will be able to configure access requests:
- If a Privileged Passwords module license is not installed, you will not be able to request a password release.
Virtual appliance licensing
You must license the virtual appliance with a Microsoft Windows license. We recommend using either the MAK or KMS method. Specific questions about licensing should be directed to your Sales Representative.
Privileged sessions is available via a join to Safeguard for Privileged Sessions.
The virtual appliance will not function unless the operating system is properly licensed.
License expiration notice
As an Appliance Administrator:
- If you receive a "license expiring" notification, apply a new license using that module's Update License link:
- (web client): Click the Settings menu on the left then click Licensing . Click to upload a new license file.
- (desktop client): Navigate to Administrative Tools | Settings | Appliance | Licensing. Click to upload a new license file.
- If all licensed modules have expired, you will be prompted to add a new license when logging in to the Safeguard for Privileged Passwords desktop client.
- If only one of the licensed modules have expired, apply a new module license by clicking in Administrative Tools | Settings | Appliance | Licensing.
As a Safeguard for Privileged Passwords user, if you get an "appliance is unlicensed" notification, contact your Appliance Administrator.
For more information on adding or updating a Safeguard for Privileged Passwords license, see Licensing.