Chatta subito con l'assistenza
Chat con il supporto

One Identity Safeguard for Privileged Passwords 7.5 - Administration Guide

Introduction System requirements and versions Using API and PowerShell tools Using the virtual appliance and web management console Cloud deployment considerations Setting up Safeguard for Privileged Passwords for the first time Using the web client Home page Privileged access requests Appliance Management
Appliance Backup and Retention Certificates Cluster Global Services External Integration Real-Time Reports Safeguard Access Appliance Management Settings
Asset Management
Account Automation Accounts Assets Partitions Discovery Profiles Tags Registered Connectors Custom platforms Importing objects
Security Policy Management
Access Request Activity Account Groups Application to Application Cloud Assistant Asset Groups Entitlements Linked Accounts User Groups Security Policy Settings
User Management Reports Disaster recovery and clusters Administrator permissions Preparing systems for management Troubleshooting Frequently asked questions Appendix A: Safeguard ports Appendix B: SPP and SPS join guidance Appendix C: Regular Expressions

About service accounts

SPP uses a service account to connect to an asset to securely manage accounts and passwords on that asset. Therefore, a service account needs sufficient permissions to edit the passwords of other accounts.

When you add an asset, SPP adds its service account to the list of Accounts. By default, SPP automatically manages the service account password and SSH keys according to the check and change schedules in the profile that governs its asset. See: Creating a password profile and Creating an SSH key profile.

When adding a service account, SPP automatically disables it from access requests. If you want the password or SSH key to be available for release, click Access Requests and select Enable Password Request or Enable SSH Key Request. If you want to enable session access, select Enable Session Request.

TIP: As a best practice, if you do not want SPP to manage a service account password or SSH key, add the account to a profile that is set to never change passwords or SSH keys.

If you delete a service account, SPP changes the asset's authentication type to None, which disables automatic password or SSH key management for all accounts that are associated with this asset. A user can continue to check out the passwords or SSH keys, however, if the policy that governs the account requires that it change the password or SSH key after release, the password or SSH key can get stuck in a pending password reset state. For more information, see Password or SSH key is pending a reset..

Test connectivity

The most common causes of failure in SPP are either connectivity issues between the appliance and the managed system, or problems with service accounts. If you experience issues, first verify that you can access the managed system from another system (independent of SPP), using the service account. For more information about troubleshooting connectivity issues, see Test Connection failures and Connectivity failures.

About Test Connection

When adding an asset, Test Connection verifies that SPP can log in to the asset using the service account credentials that you have provided.

When adding an asset that requires an SSH host key, Test Connection first discovers the key and presents it to you for acceptance. When you accept it, Test Connection then verifies that SPP can log in to the asset using the service account credentials that you have provided.

Once you save the new asset, SPP saves the service account credentials. SPP uses these credentials to connect to an asset to securely manage accounts and passwords on that asset. For more information, see About service accounts..

If you want to verify an existing asset's connectivity, use the Test Connection button in the web client. For more information, see Checking an asset's connectivity..

If you have entered values for Specify Domain Controllers and if SPP does not find a domain controller in the list, the test connection fails and an error is returned.

Related Topics

Test Connection failures

SSH Key

On the Connection tab, you can configure SPP to authenticate to a managed system using an SSH authentication key. To rotate SSH keys, you must select the Manage SSH Key option in the asset's profile change schedule. For more information, see Adding SSH key change settings..

NOTE: This option is not available for all operating systems. But if a SPP asset requires an SSH host key and does not have one, Check SSH Key, Change SSH Key, and Test Connection will fail. For more information, see Connectivity failures..

The information that displays depends on whether you choose to automatically generate the SSH key or import and manually deploy the SSH key.

Table 109: SSH Key authentication type properties
Property Description

SSH Key Generation and Deployment

Select one of the following options:

  • Automatically generate and deploy a new SSH Key

    • In the Password field, enter the password for the SSH Key.

  • Automatically generate a new SSH Key that I will deploy myself

  • Import an SSH Key that I will deploy myself

    NOTE:SPP does not currently manage the options for an authorized key. If an imported key has any options configured in the authorized keys file on the asset, these options will not be preserved when the key is rotated by SPP.

    1. Click Browse. On the Import an SSH Key dialog, click Browse then select the Private Key File.

    2. Enter a Password, if desired. A password is required if the private key is encrypted.

    3. Click Import.

Key Comment

(Optional) Enter a description of this SSH key. Maximum length of 225 characters.

Account Name

Enter the service account name that SPP is to use for management tasks. This is the account SPP uses to install the SSH authentication key on the asset. For more information, see About service accounts..

Privilege Elevation Command

If required, enter a privilege elevation command (such as sudo). This is used as a prefix for commands that require privileged access on the system and to manage accounts on Unix-based systems; that is, to check and change SSH keys and to discover accounts.

Sudo commands follow.

  • AuthorizedKeyCommand
Specify a program to look up the user's public keys
  • cat
  • chmod
  • chown
  • cp
  • echo
  • egrep
  • find
  • grep
  • host
  • ls
  • mkdir
  • mv
  • rm
  • sed
  • sshd
  • ssh-keygen
  • tee
  • test
  • touch
  • usermod

When adding an asset, this command is used to perform Test Connection. For more information, see About Test Connection..

The privilege elevation command must run non-interactively, that is, without prompting for a password. For more information, see Preparing Unix-based systems.

The limit is 255 characters.

Auto Accept SSH Host Key

Select this option to have SPP automatically accept the SSH host key when it creates the SPP asset.

When this option is selected, SPP displays the thumbprint of the SSH host key that was discovered. When a managed system requiring an SSH host key does not have one, Check SSH Key will fail. For more information, see Connectivity failures..

Test Connection

Click this button to verify that SPP can log in to this asset using the service account credentials you have provided. For more information, see About Test Connection..

Port

Enter the port number used by SSH to log in to the managed system.

Required

Connection Timeout

Enter how long to wait (in seconds) for both the connect and command timeout.

Default: 20 seconds

(Custom platform operation

e.g Check System Properties)

If there is a custom parameter in the custom platform script, enter the custom parameter here. The list of system parameters are here: Writing a custom platform script. Any parameter not in the list is a custom parameter.

Directory Account

NOTE: Only available for some types of directory accounts.

On the Connection tab, you can configure SPP to authenticate to a managed system using an account from an external identity store such as Microsoft Active Directory. In order to use this authentication type, you must first add a directory asset to SPP and add domain user accounts. Managed account users cannot be members of the Protected Users AD Security Group. For more information, see Accounts..

Table 110: Directory Account authentication type properties
Property Description
Service Account Name

Click Select Account. Choose the service account name used for management tasks. The accounts available for selection are domain user accounts that are linked to a directory that was previously added to SPP.

Service Account Password

If required, enter the password used to authenticate.

Privilege Elevation Command

If required, enter a privilege elevation command (such as sudo). This is used as a prefix for commands that require privileged access on the system and to manage accounts on Unix-based systems; that is, to check and change SSH keys and to discover accounts.

Sudo commands follow.

  • AuthorizedKeyCommand
Specify a program to look up the user's public keys
  • cat
  • chmod
  • chown
  • cp
  • echo
  • egrep
  • find
  • grep
  • host
  • ls
  • mkdir
  • mv
  • rm
  • sed
  • sshd
  • ssh-keygen
  • tee
  • test
  • touch
  • usermod

When adding an asset, this command is used to perform Test Connection. For more information, see About Test Connection..

The privilege elevation command must run non-interactively, that is, without prompting for a password. For more information, see Preparing Unix-based systems.

The limit is 255 characters.

Test Connection

Click this button to verify that SPP can log in to this asset using the service account credentials you have provided. For more information, see About Test Connection..

Service Account Profile

  • Click Edit to add the profile or Remove to delete the assigned profile. Available profiles are based on the partition selected on the General tab (asset discovery). To update the profile later, go to the service account and update the profile. For more information, see Properties (account)..
  • Use Named Pipe for service account connection

    Select to use the Named Pipe when connecting to the asset. Clear this check box to use TCP/IP when connecting to the asset.

    Use SSL Encryption

    Selected by default, this option is used to enable Safeguard to encrypt communication with this asset.

    To support SSL on Active Directory, you must upload the SSL certificate being used by the Active Directory forest. The SSL binds will need to be on port 636. For information on this process within Active Directory, see Enable LDAP over SSL with a third-party certificate authority.

    If you do not select this option for a MicrosoftSQL Server that is configured to force encryption, Test Connection will use untrusted encryption and succeed with valid credentials. For more information about how Safeguard database servers use SSL, see How do SPP database servers use SSL.

    Verify SSL Certificate

    Use this option to enable or disable SSL Certificate verification on the asset. When enabled, Safeguard for Privileged Passwords compares the signing authority of the certificate presented by the asset to the certificates in the Trusted CA Certificates store every time Safeguard for Privileged Passwords connects to the asset. Trust must be established for Safeguard for Privileged Passwords to manage the asset. For Safeguard for Privileged Passwords to verify an SSL certificate, you must add the asset's signing authority certificate to the Trusted CA Certificates store. Only clear the Verify SSL Certificate option if you do not want to establish trust with the asset.

    Privilege Level Password If required, enter the system enable password to allow access to the Cisco configuration.
    Auto Accept SSH Host Key

    Select this option to have SPP automatically accept an SSH host key. When an asset requiring an SSH host key does not have one, Check Password will fail. For more information, see Connectivity failures..

    Instance

    Specify the Instance name if you have configured multiple instances of a SQL Server on this asset. If you have configured a default (unnamed) instance of the SQL Server on the host, you need to provide the IP address and port number.

    Port

    Enter the port number to log in to the asset. This option is not available for all operating systems.

    Connection Timeout

    Enter the directory connection timeout period. Default: 20 seconds.

    Related Documents

    The document was helpful.

    Seleziona valutazione

    I easily found the information I needed.

    Seleziona valutazione