Tchater maintenant avec le support
Tchattez avec un ingénieur du support

One Identity Safeguard for Privileged Sessions 7.2.1 - Installation Guide

One Identity Safeguard for Privileged Sessions Hardware Installation Guide

This document describes how to set up the One Identity Safeguard for Privileged Sessions (SPS) hardware. Refer to the following documents for step-by-step instructions:

Installing the SPS hardware

The following describes how to install a single SPS unit.

To install a single SPS unit

  1. Unpack SPS.

  2. (Optional) Install SPS into a rack with the slide rails. Slide rails are available for all SPS appliances.

  3. Connect the cables.

    1. Connect the Ethernet cable facing your LAN to the Ethernet connector labeled as 1. This is physical interface 1 of SPS. This interface is used for the initial configuration of SPS, and for monitoring connections. (For details on the roles of the different interfaces, see "Network interfaces" in the Administration Guide.)

    2. (Optional) To use SPS across multiple physical (L1) networks, you can connect additional networks using physical interface 2 (Ethernet connector 2) and physical interface 3 (Ethernet connector 3).

    3. Connect an Ethernet cable that you can use to remotely support the SPS hardware to the IPMI interface of SPS. For details, see the following documents:

      For Safeguard Sessions Appliance 3000 and 3500, see the X9 SMT IPMI User's Guide.

      For Safeguard Sessions Appliance 4000, see the X12 H12 BMC User's Manual

      Caution:

      Connect the IPMI before plugging in the power cord. Failing to do so will result in IPMI failure.

      Caution: SECURITY HAZARD!

      The IPMI, like all out-of-band management interfaces, has known vulnerabilities that One Identity cannot fix or have an effect on. To avoid security hazards, One Identity recommends that you only connect the IPMI to well-protected, separated management networks with restricted accessibility. Failing to do so may result in an unauthorized access to all data stored on the SPS appliance. Data on the appliance can be unencrypted or encrypted, and can include sensitive information, for example, passwords, decryption keys, private keys, and so on.

      For more information, see Best Practices for managing servers with IPMI features enabled in Datacenters.

      NOTE: The administrator of SPS must be authorized and able to access the IPMI for support and troubleshooting purposes in case vendor support is needed.

      The following ports are used by the IPMI:

      • Port 22 (TCP): SSH (configurable)

      • Port 80 (TCP): Web (configurable)

      • Port 161 (UDP, TCP): SNMP (configurable)

      • Port 443 (TCP): Web SSL (configurable)

      • Port 623 (UDP): Virtual Media (configurable)

      • Port 5900 (TCP): IKVM Server (configurable)

      • Port 5985 (TCP): Wsman (configurable)

    4. (Optional) Connect the Ethernet cable connecting SPS to another SPS node to the Ethernet connector labeled as 4. This is the high availability (HA) interface of SPS. (For details on the roles of the different interfaces, see "Network interfaces" in the Administration Guide.)

    5. (Optional) The Safeguard Sessions Appliance 3500 and 4000 are equipped with a dual-port SFP+ interface card labeled 5 and 6. Optionally, connect a supported SFP+ module to these interfaces.

      NOTE: For a list of compatible connectors, see Linux Base Driver for 10 Gigabit Intel Ethernet Network Connection. Note that SFP transceivers encoded for non Intel hosts may be incompatible with the Intel 82599EB host chipset found in SPS.

  4. Power on the hardware.

  5. Change the BIOS password on the One Identity Safeguard for Privileged Sessions. The default password is ADMIN or changeme, depending on your hardware.

  6. Change the IPMI password on the One Identity Safeguard for Privileged Sessions. The default password is ADMIN or changeme, depending on your hardware.

    NOTE: Ensure that you have the latest version of IPMI firmware installed. You can download the relevant firmware from the One Identity Knowledge base.

    To change the IPMI password, connect to the IPMI remote console.

    NOTE: If you encounter issues when connecting to the IPMI remote console, add the DNS name or the IP address of the IPMI to the exception list (whitelist) of the Java console. For details on how to do this, see the Java FAQ entry titled How can I configure the Exception Site List?.

  7. Following boot, SPS attempts to receive an IP address automatically via DHCP. If it fails to obtain an automatic IP address, it starts listening for HTTPS connections on the 192.168.1.1 IP address.

    To configure SPS to listen for connections on a custom IP address, complete the following steps:

    1. Access SPS from the local console, and log in with username root and password default.

    2. Select Shells > Core shell in the Console Menu.

    3. Change the IP address of SPS:

      ifconfig eth0 <IP-address> netmask 255.255.255.0

      Replace <IP-address> with an IPv4 address suitable for your environment.

    4. Set the default gateway using the following command:

      route add default gw <IP-of-default-gateway>

      Replace <IP-of-default-gateway> with the IP address of the default gateway.

    5. Type exit, then select Logout from the Console Menu.

  8. Connect to the SPS web interface from a client machine and complete the Welcome Wizard as described in "The Welcome Wizard and the first login" in the Administration Guide.

Installing two SPS units in HA mode

Caution:

Creating a High-availability (HA) node pair from different types of hardware is not possible. The primary and the secondary HA nodes have to run on the same type of hardware.

Caution:

Make sure that you upgrade SPS to version 7.1, 7.0.1 or later on an M2018 Appliance 3500 server if you want to use it together with an M2022 Appliance 3500 server in an HA node pair.

The following describes how to install SPS with high availability support.

To install SPS with high availability support

  1. For the first SPS unit, complete Installing the SPS hardware.

  2. For the second SPS unit, complete Steps 1-3 of Installing the SPS hardware.

  3. Connect the two units with an Ethernet cable via the Ethernet connectors labeled as 4.

  4. Power on the second unit.

  5. Change the BIOS and IPMI passwords on the second unit. The default password is ADMIN or changeme, depending on your hardware.

  6. Connect to the SPS web interface of the first unit from a client machine and enable the high availability mode. Navigate to Basic Settings > High Availability . Click Convert to Cluster, then reload the page in your browser.

  7. Click Reboot Cluster.

  8. Wait until the slave unit synchronizes its disk to the master unit. Depending on the size of the hard disks, this may take several hours. You can increase the speed of the synchronization via the SPS web interface at Basic Settings > High Availability > DRBD sync rate limit.

Hardware specifications

One Identity Safeguard for Privileged Sessions appliances are built on high performance, energy efficient, and reliable hardware that are easily mounted into standard rack mounts.

Table 1: Hardware specifications
Product Redundant PSU Processor Memory Capacity RAID IPMI
Safeguard Sessions Appliance 3000 Yes

1x Intel Xeon E3-1275 v6 3.80GHz

2 x 16 GB 4x2 TB NLSAS LSI MegaRAID SAS 9361-4i Single Yes
Safeguard Sessions Appliance 3500 Yes 2x Intel Xeon Silver 4110 2.1GHz 8 x 8 GB 9x2 TB NLSAS 1 x Broadcom MegaRAID SAS 9361-16i + LSI Avago CacheVault Power Module 02 (CVPM02) Kit Yes

Safeguard Sessions Appliance 4000

Yes

1 x Intel Xeon Silver ICX 4310T @ 2.30GHz, 10C/20T

8 x 8 GB

4x20 TB SAS/SATA

1 x Broadcom 9560-8i RAID controller

1 x Broadcom CacheVault battery

Yes

The Safeguard Sessions Appliance 3500 is equipped with a dual-port 10Gbit interface. This interface has SFP+ connectors (not RJ-45) labeled 5 and 6, and can be found right of the Label 1 and 2 Ethernet interfaces. If you want faster communication, for example, in case of high data load, you can connect up to two 10Gbit network cards. These cards are not shipped with the original package and have to be purchased separately.

Documents connexes

The document was helpful.

Sélectionner une évaluation

I easily found the information I needed.

Sélectionner une évaluation