サポートと今すぐチャット
サポートとのチャット

One Identity Safeguard for Privileged Passwords 6.9 - Administration Guide

Introduction System requirements and versions Using API and PowerShell tools Using the virtual appliance and web management console Cloud deployment considerations Setting up Safeguard for Privileged Passwords for the first time Using the web client Getting started with the desktop client Using the desktop client Search box Privileged access requests Toolbox Accounts Account Groups Assets Asset Groups Discovery Entitlements Partitions Settings
Access Request settings Appliance settings Asset Management settings Backup and Retention settings Certificates settings Cluster settings Enable or Disable Services settings External Integration settings Messaging settings (desktop client) Password Management settings Real-Time Reports Safeguard Access settings SSH Key Management settings
Users User Groups Disaster recovery and clusters Administrator permissions Preparing systems for management Troubleshooting Frequently asked questions Appendix A: Safeguard ports Appendix B: SPP 2.7 or later migration guidance Appendix C: SPP and SPS join guidance Appendix D: Regular Expressions About us

Web management console system requirements

Table 7: Web kiosk requirements
Component Requirements
Web management console

Desktop browsers:

  • Apple Safari 13.1 for desktop (or later)
  • Google Chrome 80 (or later)
  • Microsoft Edge 80 (or later)
  • Mozilla Firefox 69 (or later)
  • Microsoft Internet Explorer 11 (Newer features may not work with Internet Explorer. You are encouraged to upgrade to a browser that can support all functionality.)

Platforms and versions follow.

  • You must license the VM with a Microsoft Windows license. We recommend using either the MAK or KMS method. Specific questions about licensing should be directed to your Sales Representative.

  • Supported hypervisors:
    • Microsoft Hyper-V (VHDX) version 8 or higher
    • VMware vSphere with vSphere Hypervisor (ESXi) versions 6.5 or higher
    • VMware Worksation version 13 or higher

  • Minimum resources: 4 CPUs, 10GB RAM, and a 500GB disk. The virtual appliances default deploy does not provide adequate resources. Ensure these minimum resources are met.

Supported platforms

One Identity Safeguard for Privileged Passwords supports a variety of platforms, including custom platforms.

Safeguard for Privileged Passwords tested platforms

The following table lists the platforms and versions that have been tested for Safeguard for Privileged Passwords (SPP). Additional assets may be added to Safeguard for Privileged Passwords. If you do not see a particular platform listed when adding an asset, use the Other, Other Managed, Other Directory, or Other Linux selection on the Management tab of the Asset dialog. For more information, see Management tab (add asset).

NOTE: Prior to Safeguard for Privileged Passwords 6.8, the version and architecture information was readonly. It was stored with the platform and formed part of the platform name. As of Safeguard for Privileged Passwords 6.8, this information is no longer associated with the platform. It is now optional, and can be configured on each asset.

A new set of platforms are defined in Safeguard for Privileged Passwords 6.8 to replace the legacy platforms. See the table below for details on how the legacy platforms are mapped to the new platforms.

For customers upgrading from a pre-6.8 version of Safeguard for Privileged Passwords, the legacy platform will automatically be mapped to the corresponding new platform for each existing asset. Following an upgrade, the platform id of each existing asset will have changed. Some platform names may also have changed. From the desktop UI, only the new platforms are available when creating an asset. By default, the API will also only report the new platforms. For example, a GET request to the following URI will report only the new platforms:

https://<appliance>/servive/core/V3/Platforms

The legacy platforms still exist within Safeguard for Privileged Passwords for reference, but can only be retrieved using a filter query with the API. For example, the following will retrieve the legacy Active Directory platform:

https://<appliance>/servive/core/V3/Platforms?filter=Id%20eq%203

SPP linked to SPS: Sessions platforms

CAUTION: When linking your One Identity Safeguard for Privileged Sessions (SPS) deployment to your One Identity Safeguard for Privileged Passwords (SPP) deployment, ensure that the SPS and SPP versions match exactly, and keep the versions synchronized during an upgrade. For example, you can only link SPS version 6.6 to SPP version 6.6, and if you upgrade SPS to version 6.7, you must also upgrade SPP to 6.7.

Make sure that you do not mix Long Term Supported (LTS) and feature releases. For example, do not link an SPS version 6.0 to an SPP version 6.1.

When Safeguard for Privileged Passwords (SPP) is linked with a Safeguard for Privileged Sessions (SPS) appliance, platforms are supported that use one of these protocols:

  • SPP 2.8 or lower: RDP, SSH
  • SPP 2.9 or higher: RDP, SSH, or Telnet

Some platforms may support more than one protocol. For example, a Linux (or Linux variation) platform supports both SSH and Telnet protocols.

Table 8: Supported platforms: Assets that can be managed
Platform Name Legacy Platform (ID)

Supports SPP

Supports SPS Access

ACF2 - Mainframe

ACF2 - Mainframe LDAP r14 zSeries

ACF2 - Mainframe LDAP r15 zSeries

True

True

ACF2 - Mainframe LDAP

ACF2 - Mainframe LDAP r14 zSeries

ACF2 - Mainframe LDAP r15 zSeries

True

False

Active Directory

Active Directory

True

False

AIX

AIX 6.1 PPC

AIX 7.1 PPC

AIX 7.2 PPC

AIX Other

True

True

Amazon Linux

Amazon Linux 2 x86_64

Amazon Linux Other x86_64

True

True

Amazon Web Services

Amazon Web Services 1

True

False

CentOS Linux

CentOS Linux 6 x86

CentOS Linux 6 x86_64

CentOS Linux 7 x86_64

CentOS Linux 8 x86_64

CentOS Linux Other

True

True

Check Point GAiA (SSH)

Check Point GAiA (SSH) R76

Check Point GAiA (SSH) R77

Check Point GAiA (SSH) R80.30

True

True

Cisco ASA

Cisco ASA 7.X

Cisco ASA 8.X

Cisco ASA 9.X

Cisco ASA Other

True

True

Cisco IOS (510)

Cisco IOS 12.X

Cisco IOS 15.X

Cisco IOS 16.X

Cisco IOS Other

True

True

Debian GNU/Linux (511)

Debian GNU/Linux 10 MIPS

Debian GNU/Linux 10 PPC

Debian GNU/Linux 10 x86

Debian GNU/Linux 10 x86_64

Debian GNU/Linux 10 zSeries

Debian GNU/Linux 6 MIPS

Debian GNU/Linux 6 PPC

Debian GNU/Linux 6 x86

Debian GNU/Linux 6 x86_64

Debian GNU/Linux 6 zSeries

Debian GNU/Linux 7 MIPS

Debian GNU/Linux 7 PPC

Debian GNU/Linux 7 x86

Debian GNU/Linux 7 x86_64

Debian GNU/Linux 7 zSeries

Debian GNU/Linux 8 MIPS

Debian GNU/Linux 8 PPC

Debian GNU/Linux 8 x86

Debian GNU/Linux 8 x86_64

Debian GNU/Linux 8 zSeries

Debian GNU/Linux 9 MIPS

Debian GNU/Linux 9 PPC

Debian GNU/Linux 9 x86

Debian GNU/Linux 9 x86_64

Debian GNU/Linux 9 zSeries

Debian GNU/Linux Other

True

True

Dell iDRAC

Dell iDRAC 7

Dell iDRAC 8

Dell iDRAC 9

True

True

ESXi

ESXi 5.5

ESXi 6.0

ESXi 6.5

ESXi 6.7

True

False

F5 Big-IP

F5 Big-IP 12.1.2

F5 Big-IP 13.0

F5 Big-IP 14.0

F5 Big-IP 15.0

True

True

Facebook (Deprecated)

Facebook (Deprecated)

 

 

Fedora

Fedora 21 x86

Fedora 21 x86_64

Fedora 22 x86

Fedora 22 x86_64

Fedora 23 x86

Fedora 23 x86_64

Fedora 24 x86

Fedora 24 x86_64

Fedora 25 x86

Fedora 25 x86_64

Fedora 26 x86

Fedora 26 x86_64

Fedora 27 x86

Fedora 27 x86_64

Fedora 28 x86

Fedora 28 x86_64

Fedora 29 x86

Fedora 29 x86_64

Fedora 30 x86

Fedora 30 x86_64

Fedora 31 x86

Fedora 31 x86_64

Fedora 32 x86

Fedora 32 x86_64

Fedora Other

True

True

Fortinet FortiOS

Fortinet FortiOS 5.2

Fortinet FortiOS 5.6

Fortinet FortiOS 6.0

Fortinet FortiOS 6.2

True

True

FreeBSD

FreeBSD 10.4 x86

FreeBSD 10.4 x86_64

FreeBSD 11.1 x86

FreeBSD 11.1 x86_64

FreeBSD 11.2 x86

FreeBSD 11.2 x86_64

FreeBSD 12.0 x86

FreeBSD 12.0 x86_64

True

True

HP iLO

HP iLO 2 x86

HP iLO 3 x86

HP iLO 4 x86

HP iLO 5 x86

True

True

HP iLO MP

HP iLO MP 2 IA-64

HP iLO MP 3 IA-64

True

True

HP-UX

HP-UX 11iv2 (B.11.23) IA-64

HP-UX 11iv2 (B.11.23) PA-RISC

HP-UX 11iv3 (B.11.31) IA-64

HP-UX 11iv3 (B.11.31) PA-RISC

HP-UX Other

True

True

IBM i

(formerly AS400)

IBM i 7.1 PPC

IBM i 7.2 PPC

IBM i 7.3 PPC

IBM i 7.4 PPC

True

True

Junos - Juniper Networks

Junos - Juniper Networks 12

Junos - Juniper Networks 13

Junos - Juniper Networks 14

Junos - Juniper Networks 15

Junos - Juniper Networks 16

Junos - Juniper Networks 17

Junos - Juniper Networks 18

Junos - Juniper Networks 19

True

True

LDAP

OpenLDAP 2.4

True

False

Linux

Other Linux

True

True

macOS

macOS 10.10 x86_64

macOS 10.11 x86_64

macOS 10.12 x86_64

macOS 10.13 x86_64

macOS 10.14 x86_64

macOS 10.15 x86_64

macOS 10.9 x86_64

macOS Other

True

True

MongoDB

MongoDB 3.4

MongoDB 3.6

MongoDB 4.0

MongoDB 4.2

True

False

MySQL

MySQL 5.6

MySQL 5.7

MySQL 8.0

True

False

Oracle

Oracle 11g Release 2

Oracle 12c Release 1

Oracle 12c Release 2

Oracle 18c

Oracle 19c

True

False

Oracle Linux (OL)

Oracle Linux (OL) 6 x86

Oracle Linux (OL) 6 x86_64

Oracle Linux (OL) 7 x86_64

Oracle Linux (OL) 8 x86_64

Oracle Linux (OL) Other

True

True

Other

Other

False

False

Other Directory

Other Directory

True

False

Other Managed

Other Managed

True

False

PAN-OS

PAN-OS 6.0

PAN-OS 7.0

PAN-OS 8.0

PAN-OS 8.1

PAN-OS 9.0

True

True

PostgreSQL

PostgreSQL 10

PostgreSQL 10.2

PostgreSQL 10.3

PostgreSQL 10.4

PostgreSQL 10.5

PostgreSQL 11

PostgreSQL 12

PostgreSQL 9.6

True

False

RACF - Mainframe

RACF - Mainframe z/OS V2.1 Security Server zSeries

RACF - Mainframe z/OS V2.2 Security Server zSeries

RACF - Mainframe z/OS V2.3 Security Server zSeries

True

True

RACF - RACF - Mainframe LDAP

RACF - Mainframe LDAP z/OS V2.1 Security Server zSeries

RACF - RACF - Mainframe LDAP z/OS V2.2 Security Server zSeries

RACF - RACF - Mainframe LDAP z/OS V2.3 Security Server zSeries

True

False

Red Hat Enterprise Linux (RHEL)

Red Hat Enterprise Linux (RHEL) 6 PPC

Red Hat Enterprise Linux (RHEL) 6 x86

Red Hat Enterprise Linux (RHEL) 6 x86_64

Red Hat Enterprise Linux (RHEL) 6 zSeries

Red Hat Enterprise Linux (RHEL) 7 PPC

Red Hat Enterprise Linux (RHEL) 7 x86_64

Red Hat Enterprise Linux (RHEL) 7 zSeries

Red Hat Enterprise Linux (RHEL) 8 PPC

Red Hat Enterprise Linux (RHEL) 8 x86_64

Red Hat Enterprise Linux (RHEL) 8 zSeries

Red Hat Enterprise Linux (RHEL) Other

True

True

SAP HANA

SAP HANA 2.0 Other

True

False

SAP Netweaver Application Server

SAP Netweaver Application Server 7.3

SAP Netweaver Application Server 7.4

SAP Netweaver Application Server 7.5

True

False

Solaris

Solaris 10 SPARC

Solaris 10 x86

Solaris 10 x86_64

Solaris 11 SPARC

Solaris 11 x86_64

Solaris Other

True

True

SonicOS

SonicOS 5.9

SonicOS 6.2

SonicOS 6.4

SonicOS 6.5

True

False

SonicWALL SMA or CMS

SonicWALL SMA or CMS 11.3.0

True

False

SQL Server

SQL Server 2012

SQL Server 2014

SQL Server 2016

SQL Server 2017

SQL Server 2019

True

False

SUSE Linux Enterprise Server (SLES)

SUSE Linux Enterprise Server (SLES) 11 IA-64

SUSE Linux Enterprise Server (SLES) 11 PPC

SUSE Linux Enterprise Server (SLES) 11 x86

SUSE Linux Enterprise Server (SLES) 11 x86_64

SUSE Linux Enterprise Server (SLES) 11 zSeries

SUSE Linux Enterprise Server (SLES) 12 PPC

SUSE Linux Enterprise Server (SLES) 12 x86_64

SUSE Linux Enterprise Server (SLES) 12 zSeries

SUSE Linux Enterprise Server (SLES) 15 PPC

SUSE Linux Enterprise Server (SLES) 15 x86_64

SUSE Linux Enterprise Server (SLES) 15 zSeries

SUSE Linux Enterprise Server (SLES) Other

True

True

Sybase (Adaptive Server Enterprise)

Sybase (Adaptive Server Enterprise) 15.7

Sybase (Adaptive Server Enterprise) 16

Sybase (Adaptive Server Enterprise) 17

True

False

Top Secret - Mainframe

Top Secret - Mainframe r14 zSeries

Top Secret - Mainframe r15 zSeries

Top Secret - Mainframe r16 zSeries

True

False

Top Secret - Mainframe LDAP

Top Secret - Mainframe LDAP r14 zSeries

Top Secret - Mainframe LDAP r15 zSeries

Top Secret - Mainframe LDAP r16 zSeries

True

True

Twitter (Deprecated)

Twitter (Deprecated)

 

 

Ubuntu

Ubuntu 14.04 LTS x86

Ubuntu 14.04 LTS x86_64

Ubuntu 15.04 x86

Ubuntu 15.04 x86_64

Ubuntu 15.10 x86

Ubuntu 15.10 x86_64

Ubuntu 16.04 LTS x86

Ubuntu 16.04 LTS x86_64

Ubuntu 16.10 x86

Ubuntu 16.10 x86_64

Ubuntu 17.04 x86

Ubuntu 17.04 x86_64

Ubuntu 17.10 x86

Ubuntu 17.10 x86_64

Ubuntu 18.04 LTS x86

Ubuntu 18.04 LTS x86_64

Ubuntu 18.10 x86

Ubuntu 18.10 x86_64

Ubuntu 19.04 x86

Ubuntu 19.04 x86_64

Ubuntu 19.10 x86_64

Ubuntu 20.04 x86_64

Ubuntu Other

True

True

Windows

Windows (SSH)

Windows Server

Windows Server (SSH)

Windows (SSH) 10

Windows (SSH) 7

Windows (SSH) 8

Windows (SSH) 8.1

Windows (SSH) Other

Windows (SSH) Server 2008 R2

Windows (SSH) Server 2012

Windows (SSH) Server 2012 R2

Windows (SSH) Server 2016

Windows (SSH) Server 2019

Windows 10

Windows 7

Windows 8

Windows 8.1

Windows Other

Windows Server 2008

Windows Server 2008 R2

Windows Server 2012

Windows Server 2012 R2

Windows Server 2016

Windows Server 2019

Windows Vista

True

True

Table 9: Supported platforms: Directories that can be searched
Platform Name Platform Version

Microsoft Active Directory

Windows 2008+ DFL/FFL

LDAP

2.4

For all supported platforms, it is assume that you are applying the latest updates. For unpatched versions of supported platforms, Support will investigate and assist on a case by case basis but it may be necessary for you to upgrade the platform or use SPP's custom platform feature.

Custom platforms

The following example platform scripts are available:

  • Custom HTTP
  • Linux SSH
  • Telnet
  • TN3270 transports are available

For more information, see Custom platforms and Creating a custom platform script.

Sample custom platform scripts and command details are available at the following links available from the Safeguard Custom Platform Home wiki on GitHub:

CAUTION: Example scripts are provided for information only. Updates, error checking, and testing are required before using them in production. Safeguard for Privileged Passwords checks to ensure the values match the type of the property that include a string, boolean, integer, or password (which is called secret in the API scripts). Safeguard for Privileged Passwords cannot check the validity or system impact of values entered for custom platforms.

Licenses

Hardware appliance

The One Identity Safeguard for Privileged Passwords 3000 Appliance and 2000 Appliance ship with the Privileged Passwords module which requires a valid license to enable functionality.

You must install a valid license. Once the module is installed, Safeguard for Privileged Passwords shows a license state of Licensed and is operational. If the module license is not installed, you have limited functionality. That is, even though you will be able to configure access requests, if a Privileged Passwords module license is not installed, you will not be able to request a password release.

Virtual appliance Microsoft Windows licensing

You must license the virtual appliance with a Microsoft Windows license. We recommend using either the MAK or KMS method. Specific questions about licensing should be directed to your Sales Representative. The virtual appliance will not function unless the operating system is properly licensed.

Licensing setup and update

To enter licensing information when you first log in

The first time you log in as the Appliance Administrator, you are prompted to add a license. The Success dialog displays when the license is added.

On the virtual appliance, the license is added as part of Initial Setup. For more information, see Setting up the virtual appliance.

To configure reminders for license expiration

To avoid disruptions in the use of Safeguard for Privileged Passwords, the Appliance Administrator must configure the SMTP server, and define email templates for the License Expired and the License Expiring Soon event types. This ensures you will be notified of an approaching expiration date. For more information, see Enabling email notifications.

Users are instructed to contact their Appliance Administrator if they get an "appliance is unlicensed" notification.

As an Appliance Administrator, if you receive a "license expiring" notification, apply a new license.

To update the licensing file

Licensing update is only available using a virtual machine, not via the hardware.

web client: To perform licensing activities

Go to the licensing page:

  1. Navigate to Appliance | Licensing.
    • To upload a new license file, click Upload new license file and browse to select the current license file.
    • To remove the license file, select the license and click Remove selected license.

desktop client: To perform licensing activities

  1. Navigate to Administrative Tools | Settings | Appliance | Licensing.
    • To upload a new license file, click Add License and browse to select the license file.
    • To update a license file, select the license then select Update License in the lower left corner of a module's licensing information pane, select the license file, and click Open.

Long Term Support (LTS) and Feature Releases

Releases use the following version designations:

  • Long Term Support (LTS) Releases: The first digit identifies the release and the second is a zero (for example, 6.0 LTS).
  • Maintenance LTS Releases: A third digit is added followed by LTS (for example, 6.0.6 LTS).
  • Feature Releases: The Feature Releases version numbers are two digits (for example, 6.6).

Customers choose between two paths for receiving releases: Long Term Support (LTS) Release or Feature Release. See the following table for details.

Table 10: Comparison of Long Term Support (LTS) Release and Feature Release
  Long Term Support (LTS) Release Feature Release
Release frequency

Frequency: Typically, every 2 years

Scope: Includes new features, resolved issues and security updates

Versioning: The first digit identifies the LTS and the second digit is a 0 (for example, 6.0 LTS, 7.0 LTS, and so on).

Frequency: Typically, every 3 months

Scope: Includes the latest features, resolved issues, and other updates, such as security patches for the OS

Versioning: The first digit identifies the LTS and the second digit is a number identifying the Feature Release (for example, 6.6, 6.7, and so on).

Maintenance Release

Frequency:Typically, every 3 months during full support

Scope: Includes critical resolved issues

Versioning: A third digit designates the maintenance LTS Release (for example, 6.0.6 LTS).

Frequency:Only for highly critical issues

Scope: Includes highly critical resolved issues

Versioning: A third digit designates the maintenance Feature Release (for example, 6.6.1).

Support

Support extends typically 3 years after the original publication date or until the next LTS is published (whichever date is later).

Support extends typically 6 months after the original publication date or until the next feature or LTS Release is published (whichever date is later).

Release details can be found at Product Life Cycle.

CAUTION: Downgrading from the latest Feature Release, even to an LTS release, voids support for SPP.

One Identity strongly recommends always installing the latest revision of the release path you use (Long Term Support path or Feature Release path).

Moving between LTS and Feature Release versions

You can move from an LTS version (for example, 6.0.7 LTS) to the same feature version (6.7) and then patch to a later feature version. After that, you can patch from the minimum version for the patch, typically N-3. If you move from an LTS version to a feature version, you will receive a warning like the following which informs you that you will only be able to apply a Feature Release until the next LTS Release:

Warning: You are patching to a Feature Release from an LTS Release. If you apply this update, you will not be able to upgrade to a non-Feature Release until the next LTS major release version is available. See the Administration Guide for details.

You cannot move from a Feature Release to LTS Release. For example, you cannot move from 6.7 to 6.0.7 LTS. You have to keep upgrading with each new Feature Release until the next LTS Release version is published. For this example, you would wait until 7.0 LTS is available.

Patching

You can only patch from a major version. For example, if you have version 6.6 and want to patch to 7.7, you must patch to 7.0 LTS and then apply 7.7.

An LTS major version of Safeguard for Privileged Passwords (SPP) will only work with the same LTS major version of Safeguard for Privileged Sessions (SPS). For the best experience, it is recommended you use the latest supported version.

関連ドキュメント

The document was helpful.

評価を選択

I easily found the information I needed.

評価を選択