Tchater maintenant avec le support
Tchattez avec un ingénieur du support

One Identity Safeguard for Privileged Passwords 8.0 LTS - Administration Guide

Introduction System requirements Using API and PowerShell tools Using the virtual appliance and web management console Cloud deployment considerations Setting up Safeguard for Privileged Passwords for the first time Using the web client Home page Privileged access requests Appliance Management
Appliance Backup and Retention Certificates Cluster Global Services External Integration Real-Time Reports Safeguard Access Appliance Management Settings
Asset Management
Account Automation Accounts Assets Partitions Discovery Profiles Tags Registered Connectors Custom platforms Importing objects
Security Policy Management
Access Request Activity Account Groups Application to Application Cloud Assistant Asset Groups Entitlements Linked Accounts User Groups Security Policy Settings
User Management Reports Vaults Disaster recovery and clusters Administrator permissions Preparing systems for management Troubleshooting Frequently asked questions Appendix A: Safeguard ports Appendix B: SPP and SPS join guidance Appendix C: Regular Expressions

Connection deletion: soft delete versus hard delete

Depending on your goals, you can perform a soft delete or a hard delete.

Soft delete the connection

When a session connection is deleted, the connection information is soft deleted so that a relink of the same Safeguard for Privileged Sessions appliance can reuse the same values. This approach of soft deleting and reusing the same connection values on a relink avoids "breaking" all of the Access Request Polices that referenced the previous session connection.

Hard delete the connection

A hard delete can be performed to permanently remove the session connection. This is usually only done in cases where either a relink is not desired or retaining the previous session connection values is preventing a Safeguard for Privileged Sessions appliance from linking or relinking.

A hard delete can be performed from the API using the following steps for using PowerShell or Swagger.

Hard delete with PowerShell

The latest version of Safeguard PowerShell includes two cmdlets to perform the hard delete:

split-safeguardSessionCluster -SessionMaster <name or ID of session master>

Remove-SafeguardSessionSplitCluster -SessionMaster <name or ID of session master>

For more information, see OneIdentity/safeguard-ps.

Hard delete with Swagger

To perform hard deletion with Swagger

  1. In a browser, navigate to https://<your-ip-address>/service/core/swagger.

  2. Authenticate to the service using the Authorize button.

  3. Navigate to Cluster->GET /v4/cluster/SessionModules and click Try it out!.

  4. Identify if the unwanted session connection exists on the list:

    1. If the unwanted session connection exists in the list, then:

      1. Note the ID of the session connection.

      2. Navigate to Cluster DELETE /v4/cluster/SessionModules.

      3. Enter the ID.

      4. Click Try it out!.

      5. Go to step 3.

    2. If the unwanted session connection does not exist in the list, then:

      1. Set the includeDisconnected parameter to true.

      2. Click Try it out!.

      3. If the unwanted session connection exists in the list, then go to step 4a to delete the entry a second time which will result in a hard delete.

  5. The process is complete and the session connection is permanently removed.

Global Services

One Identity Safeguard for Privileged Passwords allows you to enable or disable Safeguard for Privileged Passwords services from the Global Services page.

By default, services are disabled for service accounts and for accounts and assets found as part of a discovery job. Service accounts can be modified to adhere to these schedules and discovered accounts can be activated when managed.

It is the responsibility of the Appliance Administrator to manage these settings.

  • Navigate to Global Services to see the settings listed below.
    • Appliance Administrators can click the Disable All button to disable all services (as long as at least one service is currently enabled). A dialog will appear asking for confirmation before disabling the services.
    • Click a toggle to change a setting: toggle on and toggle off.
    • Click Refresh to update the information on the page.
    Table 43: Global Services settings

    Setting

    Description

    Disable All

    Appliance Administrators can use this button to disable all services (as long as at least one service is currently enabled). A dialog will appear asking for confirmation before disabling the services. You will need to reenable each service individually.

    Requests

    Session Requests

    Session requests are enabled by default, indicating that authorized users can make session access requests. There is a limit of 1,000 sessions on a single access request.

    Click the Session Requests toggle to disable this service so sessions can not be requested.

    NOTE: When Session Requests is disabled, no new session access requests can be initiated. Depending on the access request policies that control the target asset/account, you will see a message informing you that the Session Request feature is not available.

    In addition, current session access requests cannot be launched. A message appears, informing you that Session Requests is not available. For example, you may see the following message: This feature is temporarily disabled. See your appliance administrator for details.

    Password Requests

    Password requests are enabled by default, indicating that authorized users can make password release requests

    Click the Password requests toggle to disable this service so passwords can not be requested.

    NOTE: Disabling the password request service will place any open requests on hold until this service is reenabled.

    SSH Key Requests

    SSH key requests are enabled by default, indicating that authorized users can make SSH key release requests

    Click the SSH Key requests toggle to disable this service so SSH keys can not be requested.

    NOTE: Disabling the SSH Key request service will place any open requests on hold until this service is reenabled.

    API Key Requests

    API key requests are enabled by default, indicating that authorized users can make API key release requests

    Click the API Key requests toggle to disable this service so API keys can not be requested.

    NOTE: Disabling the API Key request service will place any open requests on hold until this service is reenabled.

    Password Management

    Check Password Management

    Check password management is enabled by default, indicating that Safeguard for Privileged Passwords automatically performs the password check task if the profile is scheduled, and allows you to manually check an account's password.

    Click the Check password management toggle to disable the password validation service.

    NOTE:Safeguard for Privileged Passwords enables automatic password management services by default. Typically, you would only disable them during an organization-wide maintenance window.

    When disabling a password management service, Safeguard for Privileged Passwords allows all currently running tasks to complete; however, no new tasks will be allowed to start.

    Change Password Management

    Change password management is enabled by default, indicating that Safeguard for Privileged Passwords automatically performs the password change task if the profile is scheduled, and allows you to manually reset an account's password.

    Click the Change password management toggle to disable the password reset service.

    NOTE:Safeguard for Privileged Passwords enables automatic password management services by default. Typically, you would only disable them during an organization-wide maintenance window.

    When disabling a password management service, Safeguard for Privileged Passwords allows all currently running tasks to complete; however, no new tasks will be allowed to start.

    SSH Key Management

    Check SSH Key

    SSH key check is enabled by default, indicating that SSH key check is managed per the profile governing the partition's assigned assets and the assets' accounts.

    Click the Check SSH Key toggle to disable the check service.

    Change SSH Key

    SSH key change is enabled by default, indicating that SSH key change is managed per the profile governing the partition's assigned assets and the assets' accounts.

    Click the Change SSH Key toggle to disable the change service.

    API Key Management

    Check API Key

    API key check is enabled by default, indicating that API key check is managed per the profile governing the partition's assigned assets and the assets' accounts.

    Click the Check API Key toggle to disable the check service.

    Change API Key

    API key change is enabled by default, indicating that API key change is managed per the profile governing the partition's assigned assets and the assets' accounts.

    Click the Change API Key toggle to disable the change service.

    Discovery

    Asset Discovery

    Asset discovery is enabled by default, indicating that available Asset Discovery jobs find assets by searching directory assets, such as Active Directory, or by scanning network IP ranges. For more information, see Discovery.

    Account Discovery

    Account discovery is enabled by default, indicating that available Account Discovery jobs find accounts by searching directory assets such as Active Directory or by scanning local account databases on Windows and Unix assets (/etc/passwd) that are associated with the account discovery job. For more information, see Discovery.

    Service Discovery

    Service discovery is enabled by default, indicating that available Service Discovery jobs find Windows services that run as accounts managed by Safeguard. For more information, see Discovery..

    SSH Key Discovery

    SSH key discovery is enabled by default. With the toggle on, SSH keys in managed accounts are discovered. For more information, see SSH Key Discovery..

    Directory

    Directory Sync

    Directory sync is enabled by default, indicating that additions or deletions to directory assets are synchronized. You can set the number of minutes for synchronization. For more information, see Management tab (add asset).

    Audit Log Stream

    Audit Log Stream Service

    Use this to send SPP data to SPS to audit the Safeguard privileged management software suite. The feature is disabled by default.

    To accept SPP data, the SPS Appliance Administrator must turn on audit log syncing. For information, see the Safeguard for Privileged Sessions Administration Guide.

    SPP and SPS must be linked to use this feature. For more information, see Safeguard for Privileged Passwords and SPS appliance link guidance.

    While the synchronization of SPP and SPS is ongoing, SPS is not guaranteed to have all of the audit data at any given point due to some latency.

    NOTE: This setting is also available under Security Policy Management > Settings. For more information, see Security Policy Settings.

    SCIM Provisioning

    SCIM Provisioning

    Use this toggle to enable or disable SCIM provisioning on the appliance. For more information, see Adding identity and authentication providers.

    Application to Application

    Application to Application

    Use this toggle to enable or disable the application to application connection behind a web application firewall via the TLS termination reverse proxy.

    The following configuration information is displayed and can be updated using the button:

    • TLS Termination Reverse Proxy Subnet (CIDR format): The subnet for the TLS termination reverse proxy.

    • Service Port: The service port used for connecting. By default this is port 443.

    R
    Table 44: Global Services settings
    Setting Description

    Disable All

    Appliance Administrators can use this button to disable all services (as long as at least one service is currently enabled). A dialog will appear asking for confirmation before disabling the services. You will need to reenable each service individually.

  • External Integration

    The Appliance Administrator can:

    • Configure the appliance to send event notifications to various external systems.
    • Integrate with an external ticketing system or track generic ticket numbers.
    • Configure both external and secondary authentication service providers.

    Go to External Integration:

    • web client: Navigate to Appliance Management > External Integration.
    Table 45: External Integration settings
    Setting Description
    Email Where you configure Safeguard for Privileged Passwords to automatically send email notifications when certain events occur.
    Email Templates

    Where you configure Safeguard for Privileged Passwords email templates.

    Hardware Security Module

    Where you configure the Hardware Security Module integration, which allows Safeguard for Privileged Passwords to utilize an external Hardware Security Module device for encryption.

    SNMP Where you configure Safeguard for Privileged Passwords to send SNMP traps to your SNMP console when certain events occur.
    Starling Where you join Safeguard for Privileged Passwords to Starling to take advantage of Starling services.
    Syslog Where you configure Safeguard for Privileged Passwords to send event notifications to a syslog server with details about the event.
    Syslog Events

    Where, using an existing syslog server, you create a subscriber and assign events.

    Ticket systems Where you configure Safeguard for Privileged Passwords to integrate with your company's external ticket system or track generic tickets and not integrate with an external ticketing system.

    Trusted Servers, CORS, and Redirects

    Where you can restrict login redirects and Cross Origin Resource Sharing (CORS) requests to a specified list of IP addresses, host names (including DNS wildcards), and CIDR notation networks.

    Email

    It is the responsibility of the Appliance Administrator to configure Safeguard for Privileged Passwords to automatically send email notifications when certain events occur.

    Use the Email pane to configure the SMTP server to be used for email notifications and to edit the email templates that define the content of email notifications.

    Before you start

    Before configuring the SMTP server, perform the following, as needed.

    • Configure the DNS Server and set up the user's email address correctly.

    • If you are using a transport layer for email authentication, One Identity recommends that you create the certificate signing request (CSR) with SPP using the Add Certificate > Create Certificate Signing Request (CSR) option. For more information, see Creating an audit log Certificate Signing Request.

      CSRs may be installed in the following formats.

      • Install Certificate generated from CSR including:
        • DER Encoded Files (.cer, .crt, or .der)
        • PEM Encoded Files (.pem)
      • Install Certificate with Private Key including:
        • PKCS#12 (.p12 or .pfx)
        • Personal Information Exchange Files (.pfx)

    To configure the SMTP Server

    1. Go to SMTP Server:

      • web client: Navigate to External Integration > Email.

    2. To configure the email notifications, enter these global settings for all emails:

      • SMTP Server Address: Enter the IP address or DNS name of the mail server. When unspecified, the email client is disabled.

        When entering an IPv6 address, you must encapsulate it in square brackets, such as [b86f:b86f:b86f:1:b86f:b86f:b86f:b86f].

        If you are using a mail exchanger record (MX record), you must specify the domain name for the mail server.

      • SMTP Port: A default port is set for SMTP which should be changed, if needed. By default, the SMTP port is 465 or, if you are using SSL/TLS, the default is port 25. The range is 1 to 65535.
      • To add Transport Layer Security, select one of the following options:

        • Require STARTTLS: Elevates the connection from text-based to TLS by connecting to an SMTP server that supports the STARTTLS command.

        • Require SMTPS: Uses TLS immediately in its connection to the target SMTP server.

        • None: Applies no TLS to emails.

        If you selected Require STARTTLS or Require SMTPS, you can select one, both, or none of the following options:

        • Verify SSL Certificate: Verifies the SSL certificate of the remote SMTP server.

        • Use Client Certificate: Presents a Client Certificate during the TLS connection to the remote SMTP server.

      • User Authentication: Select an option if you want to authenticate access to the SMPT server.

        • Account: If selected, click Directory Account or Asset Account, then select the account to use for authentication.

          If you use a Directory Account when creating the account, select the Available for use across all partitions (Global Access) option for the account, because only accounts with this option will be displayed. For more information, see Adding an account.

        • Password: If selected, enter the Account Name and Account Password to use for authentication.

        • None: If selected, the user will not be authenticated.

      • Send Test Email To: Enter an email address to use as the "From" address for all emails originating from the appliance. The limit is 512 characters.

        NOTE: This option is mandatory if you specify the SMTP Server Address.

    To validate your setup

    Test the email setup. When you test, only test emails are handled.

    1. In Send Test Email To, enter the email address where the test message will be sent.

    2. Enter the Timeout for the test email, that is the duration from the start of the delivery to the time by which the email must be successfully sent or return an error notification. During testing, each IP address is tested and if one fails, then an error is returned for the entire process. The maximum timeout duration is 255 seconds per IP check. Error logs are kept for two days. During testing, the appliance attempts to send a valid From address with an invalid To address, resulting in delivery failure.

    3. Click Send Test Email. The email is sent using the configuration settings. If there is an error or timeout, a message appears in the user interface.

    4. Make sure that the email is delivered. If there is no message in the user interface but the email is not delivered, check the support bundle log files in the SMTPSVC1 folder. SPP keeps logs for two days. For more information, see Support bundle.

    Documents connexes

    The document was helpful.

    Sélectionner une évaluation

    I easily found the information I needed.

    Sélectionner une évaluation