You can change how you want Safeguard for Privileged Passwords to connect to and communicate with the discovered assets. The default Connection Template is None so assets are authenticated manually.
Navigate to:
- web client: Asset Management > Discovery > Assets > (add or edit Asset Discovery job) > New Asset Discovery Job dialog > Asset Discovery Rules tab > (add asset discovery rule) > New Asset Discovery Rule dialog > Connection Template tab
Discovery details
- Once Safeguard for Privileged Passwords creates an asset, it will not attempt to re-create it or modify the asset if the asset is rediscovered by a different job.
- Any SSH host keys encountered in discovery will be automatically accepted.
- You can configure multiple rules for an Asset Discovery job. When Safeguard for Privileged Passwords runs the Asset Discovery job, if it finds an asset with more than one rule, it applies the connection and profile settings of the first rule that discovers the asset.
To edit connection template information
- Navigate to the New Asset Discovery Rule dialog, and open the Connection Template tab.
- In the Connection Template tab, Use Discovered Platform is selected by default. By deselecting this option, you can select a different platform using the Platform field and may need to completed additional information based on the product selected.
-
Select an Authentication Type and complete the information required for your selection.
-
SSH Key: To authenticate to the asset using an SSH authentication key, select the SSH Key Generation and Deployment Settings:
- Automatically Generate and deploy a new SSH Key: Select this option to generate and deploy a new SSH authentication key.
- Automatically Generate a new SSH Key that I will deploy myself: Select this option to generate the SSH authentication key and manually append this public key to the authorized keys file on the managed system for the service account. For more information, see Downloading a public SSH key.The SSH authentication key becomes available after Safeguard for Privileged Passwords creates the asset. If you do not select this option, Safeguard for Privileged Passwords automatically installs the SSH authentication key. If you do select this option, Safeguard for Privileged Passwords creates the key and associates it with the Safeguard for Privileged Passwords asset you are creating, but it does not install it on the managed system for you.
-
Import an SSH Key that I will deploy myself: Select this option, then Browse to import an SSH authentication key and enter the Password. The private key will be associated with the service account.
NOTE:Safeguard for Privileged Passwords does not currently manage the options for an authorized key. If an imported key has any options configured in the authorized keys file on the asset, these options will not be preserved when the key is rotated by Safeguard for Privileged Passwords.
- The following display based on whether you are generating or importing the SSH key:
- SSH Key: (Import) Click Browse to select the SSH key to import. On the Import SSH Key dialog, browse for the Private Key File and enter the Password.
- Key Comment: Enter a meaningful comment. If left blank, the comment will default to Generated by Safeguard.
- Service Account Name: Enter the name of the service account.
- Password: (Automatic generation) Enter the password.
- Service Account Password Profile can be edited or removed. Available profiles are based on the partition selected on the General tab (asset discovery).
- Service Account SSH Key Profile can be edited or removed. Available profiles are based on the partition selected on the General tab (asset discovery).
-
Directory Account: To authenticate to the assets using the service account from an external identity store such as Microsoft Active Directory, select the service account.
- Account Name: Click Browse to choose the directory account.
- Service Account Password Profile can be edited or removed. Available profiles are based on the partition selected on the General tab (asset discovery).
-
Password: To authenticate to the assets using a local service account and password.
- Account Name and Password: Enter these values.
- Service Account Password Profile can be edited or removed. Available profiles are based on the partition selected on the General tab (asset discovery).
- Starling Connect: To authenticate to the assets using Starling Connect.
- Account Name and Password: Enter these values.
- None: The accounts associated with the asset are not managed and no asset related credentials are stored.
-
-
The following information may be needed, based on the Authentication Type selected.
- Privilege Elevation Command:
If required, enter a privilege elevation command (such as sudo). This is used as a prefix for commands that require privileged access on the system and to manage accounts on Unix-based systems; that is, to check and change SSH keys and to discover accounts.
Sudo commands follow.
- AuthorizedKeyCommand
Specify a program to look up the user's public keys- cat
- chmod
- chown
- cp
- echo
- egrep
- find
- grep
- host
- ls
- mkdir
- mv
- rm
- sed
- sshd
- ssh-keygen
- tee
- test
- touch
- usermod
When adding an asset, this command is used to perform Test Connection. For more information, see About Test Connection.
The privilege elevation command must run non-interactively, that is, without prompting for a password. For more information, see Preparing Unix-based systems.
The limit is 255 characters.
- Port: Enter the port number for the connection.
- Allow Session Requests: This check box is selected by default indicating that authorized users can request session access for the discovered assets. Clear the check box if you do not want to allow session requests for the asset.
- RDP Port: Specify the access port on the target server to be used for RDP session requests.
- SSH Port: Specify the access port on the target server to be used for SSH session requests.
- Connection Timeout: Enter how long to wait (in seconds) for both the connect and command timeout.
- Privilege Level Password: Enter the system enable password to allow access to the configuration.
- Client ID: Enter the application Client ID (for example, for ServiceNow or SAP).
- Use SSL Encryption: Select this option to enable Safeguard to encrypt communication with this asset. If you do not select this option for a MicrosoftSQL Server that is configured to force encryption, Test Connection will use untrusted encryption and succeed with valid credentials. For more information about how Safeguard database servers use SSL, see How do Safeguard for Privileged Passwords database servers use SSL
-
Verify SSL Certificate: Use this option to enable or disable SSL Certificate verification on the asset. When enabled, Safeguard for Privileged Passwords compares the signing authority of the certificate presented by the asset to the certificates in the Trusted CA Certificates store every time Safeguard for Privileged Passwords connects to the asset. Trust must be established for Safeguard for Privileged Passwords to manage the asset. For Safeguard for Privileged Passwords to verify an SSL certificate, you must add the asset's signing authority certificate to the Trusted CA Certificates store. Only clear the Verify SSL Certificate option if you do not want to establish trust with the asset.certificate in Safeguard for Privileged Passwords's Trusted CA Certificates store. One Identity does not recommend disabling this option in production environments.
- Workstation ID: Specify the configured workstation ID, if applicable. This option is for IBM i systems.
-
Instance/Service Name): For SQL Server platforms, specify the Instance name if you have configured multiple instances of a SQL Server on this asset. If you have configured a default (unnamed) instance of the SQL Server on the host, you need to provide the IP address and port number.
For Oracle platforms, use the TNSNAMES naming method to identify the target system in Oracle. Depending on how the Oracle environment is configured, the Instance (also called SID in Oracle) and/or the Service Name (ServiceName) can be used to identify the target database.
- Privilege Elevation Command:
- Click OK.
- If asked to Verify Host Authenticity, click Yes to accept the SSH Key for the host.