Chatta subito con l'assistenza
Chat con il supporto

Safeguard for Privileged Passwords On Demand Hosted - Evaluation Guide

Setting up the hardware appliance

CAUTION: To maximize security, restrict the access to MGMT interface to as few users as possible. The Management web kiosk gives access to functions without authentication, such as pulling a support bundle or rebooting the appliance.

Follow these steps to set up and configure the Safeguard for Privileged Passwords Appliance.

Step 1: Before you start

Ensure that you install the Microsoft .NET Framework 4.6 (or later) on your management host.

Step 2: Prepare for installation

Gather the following items before you start the appliance installation process:

  • Laptop
  • IP address
  • IP subnet mask
  • IP gateway
  • DNS server address
  • NTP server address
  • Safeguard for Privileged Passwords license

    If you purchased Safeguard for Privileged Passwords, the appropriate license files should have been sent to you via email. If you have not received an email or need it to be resent, visit https://support.oneidentity.com/contact-us/licensing. If you need to request a trial key, please send a request to sales@oneidentity.com or call +1-800-306-9329.

Step 3: Rack the appliance

Prior to installing the racks for housing the appliance, refer to the Warnings and precautions appendix in the One Identity Safeguard Appliance Setup Guide.

Step 4: Power on the appliance

Prior to powering up the appliance, see the Standardized warning statements for AC systems appendix in the One Identity Safeguard Appliance Setup Guide.

The Safeguard for Privileged Passwords Appliance includes dual power supplies for redundant AC power and added reliability.

  1. Plug the power cords to the power supply sockets on the appliance back and then connect the cords to AC outlets.

    TIP: As a best practice, connect the two power cords to outlets on different circuits. One Identity recommends using an UPS on all appliances.

  2. Press the Green check mark button on the front panel of the appliance for NO MORE THAN one second to power on the appliance.

    Caution: Once the Safeguard for Privileged Passwords Appliance is booted, DO NOT press and hold the Green check mark button. Holding this button for four or more seconds will cold reset the power of the appliance and may result in damage.

    You can use the Red X button to shut down the appliance. Once the Safeguard for Privileged Passwords Appliance is booted, press and hold the Red X button for four seconds until it displays POWER OFF.

    NOTE: If the Safeguard for Privileged Passwords Appliance is not yet booted, it may be necessary to press the Red X button for up to 13 seconds.

    Caution: Once the Safeguard for Privileged Passwords Appliance is booted, DO NOT press and hold the Red X button for more than 13 seconds. This will hard power off the appliance and may result in damage.

Step 5: Connect the management host to the appliance

The port used for a secure first-time configuration of the appliance is MGMT. This IP address is a fixed address that cannot be changed. It will always be available in case the primary interface becomes unavailable. The MGMT IP address is: 192.168.1.105.

The primary interface that connects your appliance to the network is X0. You must change the primary interface IP to match your network configuration. The default X0 IP is: 192.168.0.105.

The appliance can take up to five minutes to boot up. In addition, ping replies have been disabled on the appliance, so you will not be able to ping this secure appliance.

  1. Connect an Ethernet cable from the laptop to the MGMT port on the back of the appliance.
  2. Set the IP address of the laptop to 192.168.1.100, the subnet mask to 255.255.255.0, and no default gateway.

Step 6: Log in to Safeguard for Privileged Passwords

  1. Open a browser on the laptop and connect to the IP address of the MGMT port https://192.168.1.105.

    If you have problems accessing the configuration interface, check your browser Security Settings or try using an alternate browser.

  2. Accept the certificate and continue. This is only safe when using an Ethernet cable connected directly to the appliance.

  3. Log in to the Safeguard for Privileged Passwords web client using the Bootstrap Administrator account:
    • User name: admin
    • Password: Admin123

    The Bootstrap Administrator is a built-in account that allows you to get the appliance set up for first-time use. To keep your Safeguard for Privileged Passwords Appliance secure, change the default password for the Bootstrap Administrator’s account. For more information, see Completing the appliance setup.

  4. Configure the primary network interface (X0):
    • On the Appliance Configuration page, configure the following. Click the  Edit icon to modify these settings.
      • Time: Enable NTP and set the primary NTP server; if desired, set the secondary NTP server, as well. Click Save. By default, the NTP server is set to pool.ntp.org.

      • Network (X0):
        • Enter the appliance's IPv4 and/or IPv6 address information (IP address, Subnet Mask, Gateway).Directory or network scans are supported for IPv4 but not IPv6.
        • Enter the DNS server address.

        • Optional, enter the DNS suffixes.
        • Click Save.

    NOTE: Starting with Safeguard for Privileged Passwords 6.9, the Network Interface (X1) can be used to add additional virtual network adapters associated with the X1 ethernet port to enable VLAN support.

  5. Log in and download the desktop client to complete the next steps. For more information, see Completing the appliance setup.

Step 7: Connect the appliance to the network

Connect an Ethernet cable from your primary interface (X0) on the appliance to your network.

Step 8. After clustering, change the trusted servers, CORS, and redirects setting

As a best practice, after you have created your Safeguard for Privileged Passwords cluster (or if just using a single VM), change the Trusted Servers, CORS and Redirects setting to the empty string or a list of values to integration applications you wish to allow. For more details, see the Safeguard for Privileged Passwords Administration Guide, Trusted Servers, CORS and Redirects.

Setting up the virtual appliance

The Appliance Administrator uses the initial setup wizard to give the virtual appliance a unique identity, license the underlying operating system, and configure the network. The initial setup wizard only needs to be run one time after the virtual appliance is first deployed, but you may run it again in the future. It will not modify the appliance identity if run in the future.

Once set up, the Appliance Administrator can change the appliance name, license, and networking information, but not the appliance identity (ApplianceID). The appliance must have a unique identity.

The steps for the Appliance Administrator to initially set up the virtual appliance follow.

Step 1: Make adequate resources available

The virtual appliances default deploy does not provide adequate resources. The minimum resources required are: 4 CPUs, 10GB RAM, and a 500GB disk. Without adequate disk space, the patch will fail and you will need to expand disk space then re-upload the patch.

Step 2: Deploy the VM

Deploy the virtual machine (VM) to your virtual infrastructure. The virtual appliance is in the InitialSetupRequired state.

Hyper-V zip file import and set up

If you are using Hyper-V, you will need the Safeguard Hyper-V zip file distributed by One Identity to setup the virtual appliance. Follow these steps to unzip the file and import:

  1. Unzip the Safeguard-hyperv-prod... zip file.
  2. From Hyper-V, click Options.
  3. Select Action, Import Virtual Machine.
  4. On the Locate Folder tab, navigate to specify the folder containing the virtual machine to import then click Select Folder.
  5. On the Locate Folder tab, click Next.
  6. On the Select Virtual Machine tab, select Safeguard-hyperv-prod....
  7. Click Next.
  8. On the Choose Import Type tab, select Copy the virtual machine (create a new unique ID).
  9. Click Next.
  10. On the Choose Destination tab, add the locations for the Virtual machine configuration folder, Checkpoint store, and Smart Paging folder.
  11. Click Next.
  12. On the Choose Storage Folders tab, identify Where do you want to store the imported virtual hard disks for this virtual machine?.
  13. Click Next.
  14. Review the Summary tab, then click Finish.
  15. In the Settings, Add Hardware, connect to Safeguard's MGMT and X0 network adapter.
  16. Right-click on the Safeguard-hyperv-prod... and click Connect... to complete the configuration and connect.

Step 3: Initial access

Initiate access using one of these methods:

  • Via a virtual display: Connect to the virtual display of the virtual machine. You will not be offered the opportunity to apply a patch with this access method. Upload and download are not available from the virtual display. Continue to step 3. If you are using Hyper-V, make sure that Enhanced Session Mode is disabled for the display. See your Hyper-V documentation for details.
  • Via a browser: Configure the networking of your virtual infrastructure to proxy https://192.168.1.105 on the virtual appliance to an address accessible from your workstation then open a browser to that address. For instructions on how to do this, consult the documentation of your virtual infrastructure (for example, VMWare). You will be offered the opportunity to apply a patch with this access method. Upload and download are available from the browser. Continue to step 3.

    IMPORTANT: After importing the OVA and before powering it on, check the VM to make sure it doesn't have a USB controller. If there is a USB controller, remove it.

Step 4: Complete initial setup

Click Begin Initial Setup. Once this step is complete, the appliance resumes in the Online state.

Step 5: Log in and configure Safeguard for Privileged Passwords

  1. If you are applying a patch, check your resources and expand the disk space, if necessary. The minimum resources are: 4 CPUs, 10GB RAM, and a 500GB disk.
  2. To log in, enter the following default credentials for the Bootstrap Administrator then click Log in.
    • User Name: admin
    • Password: Admin123

  3. If you are using a browser connected via https://192.168.1.105, the Initial Setup pane identifies the current Safeguard version and offers the opportunity to apply a patch. Click Upload Patch to upload the patch to the current Safeguard version or click Skip. (This is not available when using the Safeguard Virtual Kiosk virtual display.)
  4. In the web management console on the Initial Setup pane, enter the following.
    1. Appliance Name: Enter the name of the virtual appliance.
    2. Windows Licensing: Select one of the following options:
      • Use KMS Server: If you leave this field blank, Safeguard will use DNS to locate the KMS Server automatically. For the KMS Server to be found, you will need to have defined the domain name in the DNS Suffixes.

        If KMS is not registered with DNS, enter the network IP address of your KMS server.

      • Use Product Key: If selected, your appliance will need to be connected to the internet for the necessary verification to add your organization's Microsoft activation key.

        You can update this information in Administrative Tools | Settings | Appliance | Operating System Licensing. For more information, see Operating system license in the Safeguard for Privileged Passwords Administration Guide.

    3. NTP: Complete the Network Time Protocol (NTP) configuration.
      • Select Enable NTP to enable the protocol.
      • Identify the Primary NTP Server IP address and, optionally, the Secondary NTP Server IP address.
    4. Network (X0): For the X0 (public) interface, enter the IPv4 and/or IPv6 information, and DNS Servers information. Directory or network scans are supported for IPv4 but not IPv6.
  5. Click Save. The virtual appliance displays progress information as it configures Safeguard, the network adapter(s), and the operating system licensing.
  6. When you see the message Maintenance is complete, click Continue.

Step 6: Access the desktop client or use the web client

You can go to the virtual appliance's IP address for the X0 (public) interface from your browser:

  • desktop client: Log in and download the desktop client. For more information, see the Safeguard for Privileged Passwords Administration Guide, Installing the desktop client.
  • web client: Use the web client. For more information, see the Safeguard for Privileged Passwords Administration Guide, Using the web client.

Step 7: Change the Bootstrap Administrator's password

For security reasons, change the password on the Bootstrap Administrator User. For details, see the Safeguard for Privileged Passwords Administration Guide, Setting a local user's password.

Step 8. After clustering, change the trusted servers, CORS, and redirects setting

As a best practice, after you have created your Safeguard for Privileged Passwords cluster (or if just using a single VM), change the Trusted Servers, CORS and Redirects setting to the empty string or a list of values to integration applications you wish to allow. For more details, see the Safeguard for Privileged Passwords Administration Guide, Trusted Servers, CORS and Redirects.

View or change the virtual appliance setup

You can view or change the virtual appliance setup.

  • From the web management console, click Home to see the virtual appliance name, licensing, and networking information.
  • After the first setup, Safeguard for Privileged Passwords updates and networking changes can be made via the web management console by clicking Setup.

Completing the appliance setup

After setting up the hardware appliance, complete these steps.

During initial installation and when applying a patch, make sure the desktop client file is the one supplied with the appliance version. If the versions are not compatible, errors will occur.

Step 1: Install the desktop client application and desktop player

NOTE: PuTTY is used to launch the SSH client for SSH session requests and is included in the install. The desktop client looks for any user-installed PuTTY in the following locations:

  • Any reference to putty in the PATH environment variable
  • c:/Program Files/Putty
  • c:/Program Files(x86)/Putty
  • c:/Putty

If PuTTY is not found, the desktop client uses the version of PuTTY that it installed at:

<user-home-dir>/AppData/Local/Safeguard/putty.

If the user later installs PuTTY in any of the locations above, the desktop client uses that version which ensures the user has the latest version of PuTTY.

Installing the Safeguard for Privileged Passwords desktop client application

CAUTION: The Safeguard for Privileged Passwords client version must match the installed Safeguard for Privileged Passwords version.

  1. To download the Safeguard for Privileged Passwords desktop client Windows installer .msi file, open a browser and navigate to:

    https://<Appliance IP>/Safeguard.msi

    Save the Safeguard.msi file in a location of your choice.

  2. Run the MSI package.
  3. Select Next in the Welcome dialog.
  4. Accept the End-User License Agreement and select Next.
  5. Select Install to begin the installation.
  6. Select Finish to exit the desktop client setup wizard.
  7. Check your desktop resolution. The desktop client works the best at a resolution of 1024 x 768 or greater.

Installing the Desktop Player

CAUTION: If the Desktop Player is not installed and a user tries to play back a session from the Activity Center, a message like the following will display: No Desktop Player. The Safeguard Desktop Player is not installed. Would you like to install it now? The user will need to click Yes to go to the download page to install the player following step 2 below.

  1. Once the Safeguard for Privileged Passwords installation is complete, go to the Windows Start menu, Safeguard folder, and click Download Safeguard Player to be taken to the One Identity Safeguard for Privileged Sessions - Download Software web page.
  2. Follow the Install Safeguard Desktop Player section of the player user guide found here:

    1. Go to One Identity Safeguard for Privileged Sessions - Technical Documentation.
    2. Scroll to User Guide and click One Identity Safeguard for Privileged Sessions [version] Safeguard Desktop Player User Guide.
  3. For Safeguard Desktop player version 1.8.6 and later, ensure your signed web certificate has a Subject Alternative Name (SAN) that includes each IP address of each of your cluster members. If the settings are not correct, the Safeguard Desktop Player will generate a certificate warning like the following when replaying sessions: Unable to verify SSL certificate. To resolve this issue, import the appropriate certificates including the root CA.

New Desktop Player versions

When you have installed a version of the Safeguard Desktop Player application, you will need to uninstall the previous version to upgrade to a newer player version.

Step 2: Start the desktop client
  1. Log in using the Bootstrap Administrator account.
  2. Run the desktop client and log in with the configured IPv4 or IPv6 address for the primary interface (X0). To log in with an IPv6 address, enter it in square brackets.
  3. License Safeguard for Privileged Passwords using the provided license file. Go to Licensing:
    • (web client): Click  Appliance on the left. The Settings: Appliance page displays. Click Licensing .
    • (desktop client): Navigate to Administrative Tools | Settings | Appliance | Licensing.

    Click to upload a new license file.

  4. Designate an archive server for storing session recordings. Defining archive server configurations and assigning an archive server to an appliance are done from the desktop's Administrative Tools view:

    • Go to Settings | Backup and Retention | Archive Servers to configure archive servers.
    • Go to Settings | Sessions | Session Recordings Storage Management to assign an archive server to an appliance for storing recording files.
  5. To configure the time zone:

    1. Navigate to Administrative Tools | Settings | Safeguard Access | Time Zone.
    2. Select the time zone in the Default User Time Zone drop-down menu.
  6. Ensure that your Safeguard for Privileged Passwords Appliance has the latest software version installed. To check the version:
    1. From the Safeguard for Privileged Passwords Desktop Client, log in with admin account credentials.
    2. Click Settings | Appliance | Appliance Information. The Appliance Version is displayed.
    3. Go to the following product support page for the latest version:

      https://support.oneidentity.com/one-identity-safeguard/download-new-releases

    4. If necessary, apply a patch. Wait for maintenance. If you are installing multiple patches, repeat as needed.

Changing the Bootstrap Administrator's password

The Bootstrap Administrator is a built-in account that allows you to get the appliance set up for first-time use. To keep your Safeguard for Privileged Passwords Appliance secure, once the license is added, change the default password for the Bootstrap Administrator’s account.

To change the password:

  • web client: Click your user name in the upper-right corner of the screen and select Change Password.
  • desktop client: Click your user name in the upper-right corner of the screen and select My Account then Change Password.

If this password is ever lost, you can reset it to the default of Admin123. See the Safeguard for Privileged Passwords Administration Guide, Admin password reset topic.

Step 3: Backup Safeguard for Privileged Passwords

Immediately after your initial installation of Safeguard for Privileged Passwords, make a backup of your Safeguard for Privileged Passwords Appliance.

NOTE: The default backup schedule runs at 22:00 MST, which can be modified rather than manually running a backup.

  1. From the Safeguard for Privileged Passwords desktop Home page, select  Administrative Tools.
  2. In Settings, select Backup and Retention | Backups.
  3. Click  Run Now.
Step 4: Update Safeguard for Privileged Passwords

Download the latest update from: https://support.oneidentity.com/one-identity-safeguard/.

  1. From the Safeguard for Privileged Passwords desktop Home page, select  Administrative Tools.
  2. In Settings, select Appliance | Updates.
  3. Click Upload a File and browse to select an update file.

    NOTE: When you select a file, Safeguard for Privileged Passwords uploads it to the server, but does not install it.

  4. Click Install Now to install the update file immediately.
  5. Once you have updated Safeguard for Privileged Passwords, be sure to back up your Safeguard for Privileged Passwords Appliance.
Step 5: Add a user with Authorizer administrative permissions

The Authorizer Administrator is responsible for granting administrative access to Safeguard for Privileged Passwords.

  1. From the Safeguard for Privileged Passwords desktop Home page, select  Administrative Tools.

    NOTE: This is where you add all the objects you need to write access request policies, such as users, accounts, and assets.

  2. In Administrative Tools, select Users.
  3. Click  Add User to create a Safeguard for Privileged Passwords user with a local authentication provider and Authorizer Administrator permissions.
    Username Password Permissions Description
    AuthorizerAdmin Test123 Authorizer The administrator responsible for granting all administrative access to Safeguard for Privileged Passwords.

    NOTE: When you choose Authorizer permissions, Safeguard for Privileged Passwords also selects User and Help Desk permissions. These additional settings cannot be cleared.

  4. Log out:
    1. In the upper-right corner of the screen, click the user avatar.
    2. Select Log Out.
Step 6: Change the local security policy

Before Safeguard for Privileged Passwords can reset local account passwords on Windows systems, you must change the local security policy.

  1. From the Windows Start menu, open Local Security Policy.
  2. Navigate to Local Policies | Security Options.
  3. Disable User Account Control: Run all administrators in Admin Approval Mode option.
  4. Restart your computer.
Step 7: Enable password authentication (applies to Privileged Sessions module only)

For some systems (SUSE and some Debian systems) that use SSH, you must enable password authentication in the package generated configuration file (sshd_config).

For example, in the debian sshd_config file, enable the following parameter: PasswordAuthentication yes

Creating authorizor admin and local admin users

Once you have successfully installed the desktop client application, you must add the objects you need to write access request policies, such as users, accounts, and assets. If your company practices the principles of separation of duties (SoD), the Authorizer Administrator needs to create the following additional administrators.

NOTE: A user can be assigned more than one set of permissions.

To add local administrator users

  1. Log in to the Windows desktop client application as the Bootstrap Administrator.
  2. From the Home page, navigate to Administrative Tools and select Users.
  3. Add the following additional local administrator users.

    IMPORTANT: After creating, log out as the Bootstrap Administrator and log in as the Authorizer Administrator. It is recommended you disable the Bootstrap Administrator for security purposes.

    Username Password Permissions Description

    AuthorizerAdmin

    (Log in as this user to create all other administrators.)

    Test123

    All

    The administrator responsible for creating all other administrators

    ApplianceAdmin Test123

    Appliance

    The administrator responsible for configuring the appliance
    AssetAdmin Test123 Asset The administrator responsible for adding and managing partitions, assets, and accounts
    Auditor Test123 Auditor The administrator responsible for reviewing all access request activity
    PolicyAdmin Test123 Security Policy The administrator responsible for defining the entitlements and policies that control which assets and accounts a user can access
    UserAdmin Test123 User The administrator responsible for managing users

NOTE: When you choose certain permissions, Safeguard for Privileged Passwords also selects additional permissions. Do not clear these additional settings.

Before you log out, verify that Safeguard for Privileged Passwords added these users.

To view the audit log

  1. From the Home page, navigate to the  Activity Center.
  2. Leave the default search criteria (I would like to see all activity occurring within the last 24 hours).
  3. Click Run.
  4. Explore the results.

    As the Authorizer Administrator, you can view User Authentication and Object History for Audit Events pertaining to users.

  5. Log out.
Related Documents

The document was helpful.

Seleziona valutazione

I easily found the information I needed.

Seleziona valutazione