Chatta subito con l'assistenza
Chat con il supporto

One Identity Safeguard for Privileged Passwords 8.0 LTS - Administration Guide

Introduction System requirements Using API and PowerShell tools Using the virtual appliance and web management console Cloud deployment considerations Setting up Safeguard for Privileged Passwords for the first time Using the web client Home page Privileged access requests Appliance Management
Appliance Backup and Retention Certificates Cluster Global Services External Integration Real-Time Reports Safeguard Access Appliance Management Settings
Asset Management
Account Automation Accounts Assets Partitions Discovery Profiles Tags Registered Connectors Custom platforms Importing objects
Security Policy Management
Access Request Activity Account Groups Application to Application Cloud Assistant Asset Groups Entitlements Linked Accounts User Groups Security Policy Settings
User Management Reports Vaults Disaster recovery and clusters Administrator permissions Preparing systems for management Troubleshooting Frequently asked questions Appendix A: Safeguard ports Appendix B: SPP and SPS join guidance Appendix C: Regular Expressions

Downloading a public SSH key

When you add an asset and select the Automatically Generate the SSH Key (SSH Key Generation and Deployment setting on the Connection page in the Asset dialog), Safeguard for Privileged Passwords allows you to download the SSH key so that you can manually install it on the asset.

To download a public SSH key

  1. Navigate to Asset Management > Assets.
  2. In Assets, select an asset that has an SSH key authentication type.
  3. Expand the SSH Host Key drop-down, and select Download SSH Key. The SSH key will be downloaded according to your browser's file download settings.

Configuring the Kubernetes platform

You can add an asset for Kubernetes and have SPP directly manage the secrets using a standard check and change password profile. However, this functionality is meant for scenarios, where the Kubernetes asset is used as a dependent account of an existing on-premises asset account that SPP is already managing, but must be accessible from a container application in your Kubernetes.

Example: Using the Kubernetes asset type

If SPP manages an account for a PostgreSQL database that is used by a containerized application running in Kubernetes, the application can access the secret from its native secrets vault. Whenever SPP changes the password of the PostgreSQL database, SPP will also change the secret value of the dependent account associated with the Kubernetes asset.

Managing secrets with One Identity Safeguard for Privileged Passwords (SPP) on a Kubernetes platform

For a Kubernetes secret, each of the SPP account's secrets are added as a key/value pair.

  • If the SPP account has a password secret, then the Kubernetes secret will contain an item with a key name of password.

  • If the SPP account has an SSH Key as a secret, then the Kubernetes secret will contain a key-value pair with a key name of sshkey.

  • The SPP account can have multiple secret types at the same time, and all secret types will be added and pushed to Kubernetes.

  • Secrets will either be created or updated by SPP, depending on whether the secrets already exist within Kubernetes.

SPP secret type

Kubernetes secret key name

Password password
File file
SSH Key sshkey
API Key apikey
Example

YAML file of a secret created and managed by SPP

apiVersion: v1
kind: Secret
metadata:
  name: sqlserver-password
  namespace: acme-tools
type: Opaque
stringData:
  password: dbaAdmin'sPassword
  sshkey: eyx838jf9jf99ejf9slaoidjvm
  apikey: AAAX&JYUHOH
  file: Base64EncodedStringOfFileContents
Prerequisites:
  • You have a Kubernetes server.

  • You have permission in Kubernetes to manage secrets.

  • You have the kube configuration file

    NOTE: The Kubernetes documentation recommends authenticating using client certificates. The certificate data is included in the kube configuration file that is uploaded to SPP as the service account when creating the asset.
    The service account that is associated with an asset cannot have its password rotated. It cannot be part of a Password Profile that attempts to change the password.

To configure a Kubernetes Platform in SPP

  1. Go to Asset management > Assets

  2. Click (Add) New Asset

  3. Enter a name and a description.

  4. Go to Connection tab and set the Platform value to Kubernetes Secrets.

  5. Set the Authentication Type to API Key.

  6. Upload the kube configuration file.

  7. (Optional) Click Test Connection.

  8. (Optional) Verify SSL Certificate is selected by default. You can select or clear this option to match your preferences. Kubernetes platform supports HTTP Proxy too.

  9. Click OK.

  10. Go to Asset management > Assets and select the newly created kubernetes asset.

  11. Go to Accounts tab.

  12. Click New Account.

  13. Enter a name for the account.

  14. Enter a name for Kubernetes Namespace.

    Kubernetes Namespace requirements:

    • The name must be a string.

    • The maximum length for the namespace is 253 characters.

    • Kubernetes has a default namespace, called default.

Dependent accounts

Kubernetes platform supports dependent accounts. For more information, see the following related topics.

Related topics

Checking, changing, or setting an account password

Adding account dependencies

Configure user platform

SPP user platform enables you to:

  • Add an asset to SPP, which enables you to manage SPP users on all Safeguard for Privileged Passwords (SPP) servers in your cluster.

  • Manage the password of a user on all SPP servers in your cluster.

  • Add an account to SPP with which you can effectively perform password change operation against a user in a different SPP that is not part of your cluster.

  • Add an account dependency between the managed external SPP account and any other asset being managed by SPP. (Circular reference is not possible).

  • Add an asset account to a password-based Access Request Policy, for an account that is tied to the SPP asset. This allows a user to check out the credentials to log into a different SPP.

Prerequisites
  • Support for SPP version 7 and above.

  • In the target SPP machine, a user must be created and granted the Help Desk or Authorizer permission.

  • The user must have the Identity Provider set to Local and use only password-based authentication (no certificate and no MFA).

  • The target SPP must have the Resource Owner OAuth2 grant type enabled under Appliance Management > Safeguard Access > Local Login Control.

  • User names must be unique on the target server and are not case-sensitive. The upstream Safeguard for Privileged Passwords can only match accounts by name, not by ID. Only users with their Identity Provider and Authentication Provider set to Local can be managed.

To configure an asset of type Safeguard for Privileged Passwords

  1. Navigate to Asset management > Assets

  2. Click (Add) New Asset

  3. Enter a name and a description.

  4. Navigate to Connection tab and set the Platform value to Safeguard For Privileged Passwords Users.

  5. Enter the IP address of your appliance.

  6. Set the Authentication Type to Password.

  7. Enter your account name.

  8. Enter your password.

  9. (Optional) Click Test Connection.

  10. (Optional) Verify SSL Certificate is selected by default. You can select or clear this option to match your preferences. SPP users platform supports HTTP Proxy, too.

  11. Click OK.

  12. Navigate to Asset management > Assets and select the newly created asset.

  13. Navigate to the Accounts tab.

  14. Click New Account.

  15. Enter a name for the account.

  16. You can manage the passwords under the Secrets tab.

    NOTE: Only passwords are stored in SPP. You can set Files for users, but you cannot push them to your SPP appliance.

Dependent accounts

SPP user platform supports dependent accounts. For more information, see the following related topics.

Related topics

Checking, changing, or setting an account password

Adding account dependencies

Configure SPP asset platform

The purpose of the Safeguard for Privileged Passwords (SPP) asset platform type is to be able to offload or otherwise distribute access to certain accounts.

SPP asset platform enables you to:

  • Add an asset to SPP so as to be able to manage secrets in another SPP that is not part of the cluster.

  • Add an account dependency between the managed external SPP account and any other asset being managed by SPP. (Except for the asset from which the account originates, to avoid circular reference.)

  • Add an asset account to a password-based Access Request Policy, for an account that is tied to the SPP asset.

  • Offload your A2A requests to a standalone server, to relieve and distribute the resource load caused by heavy usage.

Examples

If your company heavily uses the Safeguard A2A service, you can set up a standalone SPP server to be managed by the main cluster, in which dependent account passwords are updated. Then, A2A registrations can be configured on the standalone server and all A2A requests can be made against the standalone server, reducing the load on your main cluster.

An other use case is if you need to expose some managed account passwords to the perimeter network of your network, but you do not want to expose your main SPP cluster to the perimeter network. You can instead setup a standalone SPP server to be managed by the main cluster, in which dependent accounts passwords are updated. You can configure access request policies and other things as normal on the standalone server to be accessed in the perimeter network.

Prerequisites
  • In the target SPP machine, a user must be created and granted the Asset Admin permission, or be set as the owner of an asset on which the accounts will be managed.

  • The user must have the Identity Provider set to Local and use only password-based authentication. The password of this user can then be managed by the upstream SPP cluster, just like any other asset service account.

  • The target SPP must have the Resource Owner OAuth2 grant type enabled under Appliance Management > Safeguard Access > Local Login Control.

  • Account names must be unique on the target server and are case-sensitive. The upstream SPP can only match accounts by name, not by ID.

To configure an asset of type Safeguard for Privileged Passwords Accounts

  1. Navigate to Asset management > Assets

  2. Click (Add) New Asset

  3. Enter a name and a description.

  4. Navigate to Connection tab and set the Platform value to Safeguard For Privileged Passwords Accounts.

  5. Enter the IP address of your appliance.

  6. Set the Authentication Type to Safeguard User Account.

  7. Enter a Local Account Name. You have two options here:

    1. You can choose a user from a different platform by clicking Browse. In this case, you are using a managed account. Whenever the password is rotated for that user, the password is automatically updated on this platform accordingly.

    2. If you do not have a different platform available, you can enter a new local account name, but be aware that it will be an unmanaged service account. In this case you must specify a password for that account. If the password changes for this account, you have to update the asset manually.
  8. (Optional) Click Test Connection.

  9. (Optional) Verify SSL Certificate is selected by default. You can select or clear this option to match your preferences. SPP asset platform supports HTTP Proxy, too.

  10. Click OK.

  11. Navigate to Asset management > Assets.

  12. Navigate to Accounts tab.

  13. Click New Account.

  14. Enter a name for the account. You can have multiple accounts with the same name. However, in this case you must enter a unique Asset Name for the accounts, to enable SPP to identify the assets correctly.

  15. Click OK.

  16. You can manage the passwords, SSH keys, files, and API Keys under the Secrets tab.

Dependent accounts

SPP asset platform supports dependent accounts. For more information, see the following related topics.

Related topics

Checking, changing, or setting an account password

Adding account dependencies

Related Documents

The document was helpful.

Seleziona valutazione

I easily found the information I needed.

Seleziona valutazione