サポートと今すぐチャット
サポートとのチャット

One Identity Safeguard for Privileged Passwords 8.0 LTS - Administration Guide

Introduction System requirements Using API and PowerShell tools Using the virtual appliance and web management console Cloud deployment considerations Setting up Safeguard for Privileged Passwords for the first time Using the web client Home page Privileged access requests Appliance Management
Appliance Backup and Retention Certificates Cluster Global Services External Integration Real-Time Reports Safeguard Access Appliance Management Settings
Asset Management
Account Automation Accounts Assets Partitions Discovery Profiles Tags Registered Connectors Custom platforms Importing objects
Security Policy Management
Access Request Activity Account Groups Application to Application Cloud Assistant Asset Groups Entitlements Linked Accounts User Groups Security Policy Settings
User Management Reports Vaults Disaster recovery and clusters Administrator permissions Preparing systems for management Troubleshooting Frequently asked questions Appendix A: Safeguard ports Appendix B: SPP and SPS join guidance Appendix C: Regular Expressions

System requirements

Before installing Safeguard for Privileged Passwords 8.0, ensure that your system meets the following minimum hardware and software requirements.

NOTE: When setting up a virtual environment, carefully consider the configuration aspects such as CPU, memory availability, I/O subsystem, and network infrastructure to ensure the virtual layer has the necessary resources available. For more information about environment virtualization, see One Identity's Product Support Policies.

Bandwidth

It is recommended that connection, including overhead, is faster than 10 megabits per second inter-site bandwidth with a one-way latency of less than 500 milliseconds. If you are using traffic shaping, you must allow sufficient bandwidth and priority to port 655 UDP in the shaping profile. These numbers are offered as a guideline only in that other factors could require additional network tuning. These factors include but are not limited to: jitter, packet loss, response time, usage, and network saturation. If there are any further questions, please check with your Network Administration team.

Web client requirements
Table 5: Web client requirements
Requirement

Details

Web browsers

Desktop browsers:

  • Apple Safari 16.0 for desktop (or later)
  • Google Chrome 108 (or later)
  • Microsoft Edge 108 (or later)
  • Mozilla Firefox 108 (or later)

Mobile device browsers:

  • Apple Safari Mobile 14.7 (or newer)

  • Google Chrome on Android 108 (or newer)

Web management console requirements
Table 6: Web management console requirements
Requirement

Details

Web browsers

Desktop browsers:

  • Apple Safari 16.0 for desktop (or later)
  • Google Chrome 108 (or later)
  • Microsoft Edge 108 (or later)
  • Mozilla Firefox 108 (or later)

Platforms and versions follow.

  • You must license the VM with a Microsoft Windows license. One Identityrecommends using either the MAK or KMS method. Direct any specific questions about licensing to your Sales Representative.

  • Supported hypervisors:

    • Microsoft Hyper-V (VHDX) version 8 or higher

    • VMware vSphere with vSphere Hypervisor (ESXi) versions 6.7 or higher

    • VMware Workstation version 14 or higher

  • Minimum resources: 4 CPUs, 10 GB RAM, and a 500 GB disk. The virtual appliances default deploy does not provide adequate resources. Ensure these minimum resources are met.

Supported platforms

One Identity Safeguard for Privileged Passwords supports a variety of platforms, including custom platforms.

Safeguard for Privileged Passwords tested platforms

The following table lists the platforms and versions that have been tested for Safeguard for Privileged Passwords (SPP). Additional assets may be added to Safeguard for Privileged Passwords. If you do not see a particular platform listed when adding an asset, use the Other, Other Managed, Other Directory, or Linux selection on the Management tab of the Asset dialog. For more information, see Management tab (add asset).Management tab (add asset) in the Safeguard for Privileged Passwords Administration Guide.

Safeguard for Privileged Passwords linked to SPS: Sessions platforms

CAUTION: When linking your One Identity Safeguard for Privileged Sessions (SPS) deployment to your Safeguard for Privileged Passwords (SPP) deployment, ensure that the SPS and SPP versions match exactly, and keep the versions synchronized during an upgrade. For example, you can only link SPS version 6.6 to SPP version 6.6, and if you upgrade SPS to version 6.7, you must also upgrade SPP to 6.7.

Make sure that you do not mix Long Term Supported (LTS) and feature releases. For example, do not link an SPS version 6.0.1 to an SPP version 6.1.

If One Identity Safeguard for Privileged Passwords (SPP) is linked with a SPS (SPS) appliance, platforms are supported that use one of these protocols:

  • SPP 2.8 or lower: RDP, SSH

  • SPP 2.9 or higher: RDP, SSH, or Telnet

Some platforms may support more than one protocol. For example, a Linux (or Linux variation) platform supports both SSH and Telnet protocols.

Table 7: Supported platforms: Assets that can be managed
Platform Name Tested Versions

Supports SPP

Supports SPS Access

Supports just-in-time (JIT) privileged elevation

ACF2

ACF2 for z/OS 16.0

True

True

True

ADF2 over LDAP

ADF2 for z/OS 16.0

True

False

False

Active Directory

Active Directory

True

False

False

AIX

AIX 7.2

AIX 7.3

True

True

False

Amazon Linux

Amazon Linux 2

Amazon Linux 2023

Amazon Linux Other

True

True

False

Amazon Web Services

Amazon Web Services 1

True

False

True

CentOS Linux

CentOS Linux 7

CentOS Linux 8

True

True

False

Check Point GAiA (SSH)

Check Point GAiA (SSH) R80.30

Check Point GAiA (SSH) R81

True

True

True

Cisco ASA

Cisco ASA 7.X

Cisco ASA 8.X

Cisco ASA 9.X

True

True

True

Cisco IOS (510)

Cisco IOS 12.X

Cisco IOS 15.X

Cisco IOS 16.X

True

True

True

Cisco ISE

Cisco ISE 2.7

Cisco ISE 3

Cisco ISE 3.4

True

False

True

Cisco ISE CLI

Cisco ISE CLI 2.7

Cisco ISE CLI 3

True

True

True

Cisco NX-OS

Cisco NX-OS 9.3(7)

Cisco NX-OS 9.3(7a)

True

True

False

Debian GNU/Linux

Debian GNU/Linux 10

Debian GNU/Linux 11

Debian GNU/Linux 12

True

True

False

Dell iDRAC

Dell iDRAC 8

Dell iDRAC 9

True

True

True

eDirectory LDAP

eDirectory LDAP 9

True

False

False

ESXi

ESXi 7.0

ESXi 8.0

True

False

True

F5 Big-IP

F5 Big-IP 13.0

F5 Big-IP 14.0

F5 Big-IP 15.0

F5 BIG-IP 16.0

F5 BIG-IP 17.0

True

True

True

Fedora

Fedora 38

Fedora 39

True

True

False

Fortinet FortiOS

Fortinet FortiOS 6.2

Fortinet FortiOS 7.0

Fortinet FortiOS 7.2

Fortinet FortiOS 7.4

True

True

True

FreeBSD

FreeBSD 13

FreeBSD 14

True

True

False

Google Cloud Secret Manager

 

True

False

False

HP iLO

HP iLO 4

HP iLO 5

HP iLO 6

True

True

True

HP iLO MP

HP iLO MP 2

HP iLO MP 3

True

True

True

HP-UX

HP-UX 11iv3 (B.11.31)

True

True

False

IBM i

IBM i 7.4

IBM i 7.5

True

True

True

JunOS - Juniper Networks

JunOS - Juniper Networks 20

JunOS - Juniper Networks 21

JunOS - Juniper Networks 22

JunOS - Juniper Networks 23

True

True

True

Kubernetes Secrets

 

True

False

False

LDAP

OpenLDAP 2.4

True

False

False

Linux

 

True

True

True

macOS

macOS 12

macOS 13

macOS 14

True

True

True

MongoDB

MongoDB 5.0

MongoDB 6.0

MongoDB 7.0

True

False

True

MySQL

MySQL 8.0 LTS

True

False

True

Oracle

Oracle 19c

Oracle 21c

Oracle 23c

True

False

True

Oracle Linux (OL)

Oracle Linux (OL) 7

Oracle Linux (OL) 8

Oracle Linux (OL) 9

True

True

False

PAN-OS

PAN-OS 9.1

PAN-OS 10.1

PAN-OS 10.2

PAN-OS 11.0

PAN-OS 11.1

True

True

True

PostgreSQL

PostgreSQL 12

PostgreSQL 13

PostgreSQL 14

PostgreSQL 15

PostgreSQL 16

True

False

True

RACF

zSecurity Manager for RACF z/VM 2.5

True

True

True

RACF over LDAP

zSecurity Manager for RACF z/VM 2.5

True

False

False

Red Hat Directory Server

Red Hat Directory Server 11

Red Hat Directory Server 12

True

False

True

Red Hat Enterprise Linux (RHEL)

Red Hat Enterprise Linux (RHEL) 7

Red Hat Enterprise Linux (RHEL) 8

Red Hat Enterprise Linux (RHEL) 9

True

True

False

SAP HANA

SAP HANA

SAP HANA 2 SPS 07

True

False

True

SAP Netweaver Application Server

SAP Netweaver Application Server 7.5

True

False

True

Safeguard For Privileged Passwords Accounts

SPP 7.0 and above

True

False

False

Safeguard For Privileged Passwords Users

SPP 7.0 and above

True

False

False

SPS

SPS 7.0

True

True

True

Solaris

Solaris 10

Solaris 11.3

Solaris 11.4

True

True

False

SonicOS

SonicOS 6.5

SonicOS 7

SonicOSX 7

True

False

True

SonicWALL SMA or CMS

SonicWALL SMA or CMS 11.3.0

True

False

True

SQL Server

SQL Server 2014

SQL Server 2016

SQL Server 2017

SQL Server 2019

SQL Server 2022

True

False

True

SUSE Linux Enterprise Server (SLES)

SUSE Linux Enterprise Server (SLES) 12

SUSE Linux Enterprise Server (SLES) 15

True

True

False

Sybase (Adaptive Server Enterprise)

Sybase (Adaptive Server Enterprise) 15.7

Sybase (Adaptive Server Enterprise) 16

Sybase (Adaptive Server Enterprise) 17

True

False

True

Top Secret - Mainframe

Top Secret - Mainframe r16 zSeries

True

False

True

Top Secret - Mainframe LDAP

Top Secret - Mainframe LDAP r16

True

True

False

Ubuntu

Ubuntu 18.04 LTS

Ubuntu 22.04 LTS

Ubuntu 22.10

Ubuntu 23.10

Ubuntu 24.04 LTS

True

True

False

VMware vCenter Server

VMware vCenter Server 6.7

VMware vCenter Server 7.0

True

True

True

Windows Desktop

Windows 10

Windows 11

True

True

False

Windows Desktop (SSH)

Windows 10

Windows 11

True

True

False

Windows Desktop (WinRM)

Windows 10

Windows 11

True

True

False

Windows Server

Windows Server 2016

Windows Server 2019

Windows Server 2022

True

True

False

Windows Server (SSH)

Windows Server 2016

Windows Server 2019

Windows Server 2022

True

True

False

Windows Server (WinRM)

Windows Server 2016

Windows Server 2019

Windows Server 2022

True

True

False

Table 8: Supported platforms: Directories that can be searched
Platform Name Platform Version

Microsoft Active Directory

Windows 2008+ DFL/FFL

LDAP

2.4

For all supported platforms, it is assume that you are applying the latest updates. For unpatched versions of supported platforms, Support will investigate and assist on a case by case basis but it may be necessary for you to upgrade the platform or use SPP's custom platform feature.

IMPORTANT: For the current list of platforms supported by Connect for Safeguard Assets, see the Connect for Safeguard Assets User Guide.

Custom platforms

The following example platform scripts are available:

  • Custom HTTP

  • Linux SSH

  • Telnet

  • TN3270 transports are available

For more information, see Custom platforms and Creating a custom platform script.Custom Platforms and Creating a custom platform script in the One Identity Safeguard for Privileged Passwords Administration Guide.

Sample custom platform scripts and command details are available at the following links available from the Safeguard Custom Platform Home wiki on GitHub:

CAUTION: Example scripts are provided for information only. Updates, error checking, and testing are required before using them in production. Safeguard for Privileged Passwords checks to ensure the values match the type of the property that include a string, boolean, integer, or password (which is called secret in the API scripts). Safeguard for Privileged Passwords cannot check the validity or system impact of values entered for custom platforms.

Licenses

As a Safeguard for Privileged Passwords user, if you get an "appliance is unlicensed" notification, contact your Appliance Administrator.

Hardware appliance

The One Identity Safeguard for Privileged Passwords 4000 Appliance, 3000 Appliance and 2000 Appliance ship with the SPP module which requires a valid license to enable functionality.

You must install a valid license. Once the module is installed, Safeguard for Privileged Passwords shows a license state of Licensed and is operational. If the module license is not installed, you have limited functionality. That is, even though you will be able to configure access requests, if a SPP module license is not installed, you will not be able to request a password release.

Virtual appliance Microsoft Windows licensing

You must license the virtual appliance with a Microsoft Windows license. We recommend using either the MAK or KMS method. Specific questions about licensing should be directed to your Sales Representative. The virtual appliance will not function unless the operating system is properly licensed.

Licensing setup and update

To enter licensing information when you first log in

The first time you log in as the Appliance Administrator, you are prompted to add a license. The Success dialog displays when the license is added.

On the virtual appliance, the license is added as part of Initial Setup. For more information, see Setting up the virtual appliance..

IMPORTANT: After successfully adding a license, the Software Transaction Agreement will be displayed and must be read and accepted in order to use Safeguard for Privileged Passwords.

To configure reminders for license expiration

To avoid disruptions in the use of Safeguard for Privileged Passwords, the Appliance Administrator must configure the SMTP server, and define email templates for the License Expired and the License Expiring Soon event types. This ensures you will be notified of an approaching expiration date. For more information, see Enabling email notifications..

Users are instructed to contact their Appliance Administrator if they get an "appliance is unlicensed" notification.

As an Appliance Administrator, if you receive a "license expiring" notification, apply a new license.

To update the licensing file

Safeguard licenses can be updated both on hardware and virtual machines, whereas OS licenses can be updated only on virtual machines.

To perform licensing activities

Navigate to Appliance Management > Appliance > Licensing.

  • To upload a new license file, click Upload new license file and browse to select the current license file. The Software Transaction Agreement will also be displayed during this process and must be read and accepted in order to complete the licensing process.

  • To remove the license file, select the license and click Remove selected license.

  • To get more information on the license and to export license data, click the What do these numbers mean? button, or click on the numbers in the tile.

    If you want to export data about users, desktops or systems in CSV or JSON format, navigate to the table from which you want to export data by clicking the corresponding tab, for example Users Used.

    Click the export icon located on the table. For more information on exporting, see Exporting dataExporting data in the One Identity Safeguard for Privileged Passwords Administration Guide and One Identity Safeguard for Privileged Passwords User Guide documents.

    Below is the list of the available tabs.

    For device-based licenses:

    • General

    • Desktops Used

    • Other Desktops

    • Systems Used

    • Other Systems

    • History

    For user-based licenses:

    • General

    • Users Used

    • Password Vault Only

    • Other Users

    • History

  • The General tab, contains general information about the license:

    • License usage and consumption

    • Counts of all managed and unmanaged components

    • How licenses are counted

    • License Number

    • License Type

    • Expiration Date

    • Product Version

    • Date Added

    • Added By

Long Term Support (LTS) and Feature Releases

Releases use the following version designations:

  • Long Term Support (LTS) Releases: The first digit identifies the release and the second is a zero (for example, 6.0 LTS).
  • Maintenance LTS Releases: A third digit is added followed by LTS (for example, 6.0.6 LTS).
  • Feature Releases: The Feature Releases version numbers are two digits (for example, 6.6).

Customers choose between two paths for receiving releases: Long Term Support (LTS) Release or Feature Release. See the following table for details.

Table 9: Comparison of Long Term Support (LTS) Release and Feature Release
  Long Term Support (LTS) Release Feature Release
General Release

Scope: Includes new features, resolved issues and security updates

Versioning: The first digit identifies the LTS and the second digit is a 0 (for example, 6.0 LTS, 7.0 LTS, and so on).

Scope: Includes the latest features, resolved issues, and other updates, such as security patches for the OS

Versioning: The first digit identifies the LTS and the second digit is a number identifying the Feature Release (for example, 6.6, 6.7, and so on).

Maintenance Release

Scope: Includes critical resolved issues

Versioning: A third digit designates the maintenance LTS Release (for example, 6.0.6 LTS).

Scope: Includes highly critical resolved issues

Versioning: A third digit designates the maintenance Feature Release (for example, 6.6.1).

Release and support details can be found at Product Life Cycle.

CAUTION: Downgrading from the latest Feature Release, even to an LTS release, voids support for SPP.

One Identity strongly recommends always installing the latest revision of the release path you use (Long Term Support path or Feature Release path).

Moving between LTS and Feature Release versions

You can move from an LTS version (for example, 6.0.7 LTS) to the same feature version (6.7) and then patch to a later feature version. After that, you can patch from the minimum version for the patch, typically N-3. If you move from an LTS version to a feature version, you will receive a warning like the following which informs you that you will only be able to apply a Feature Release until the next LTS Release:

Warning: You are patching to a Feature Release from an LTS Release. If you apply this update, you will not be able to upgrade to a non-Feature Release until the next LTS major release version is available. See the Administration Guide for details.

You cannot move from a Feature Release to LTS Release. For example, you cannot move from 6.7 to 6.0.7 LTS. You have to keep upgrading with each new Feature Release until the next LTS Release version is published. For this example, you would wait until 7.0 LTS is available.

Patching

You can only patch from a major version. For example, if you have version 6.6 and want to patch to 7.7, you must patch to 7.0 LTS and then apply 7.7.

An LTS major version of One Identity Safeguard for Privileged Passwords (SPP) will only work with the same LTS major version of SPS (SPS). For the best experience, it is recommended you use the latest supported version.

関連ドキュメント

The document was helpful.

評価を選択

I easily found the information I needed.

評価を選択