サポートと今すぐチャット
サポートとのチャット

One Identity Safeguard for Privileged Sessions 7.5.1 - Administration Guide

Preface Introduction The concepts of One Identity Safeguard for Privileged Sessions (SPS)
The philosophy of One Identity Safeguard for Privileged Sessions (SPS) Policies Credential Stores Plugin framework Indexing Supported protocols and client applications Modes of operation Connecting to a server through One Identity Safeguard for Privileged Sessions (SPS) Archive and backup concepts Maximizing the scope of auditing IPv6 in One Identity Safeguard for Privileged Sessions (SPS) SSH host keys Authenticating clients using public-key authentication in SSH The gateway authentication process Four-eyes authorization Network interfaces High Availability support in One Identity Safeguard for Privileged Sessions (SPS) Versions and releases of One Identity Safeguard for Privileged Sessions (SPS) Accessing and configuring One Identity Safeguard for Privileged Sessions (SPS)
Cloud deployment considerations The Welcome Wizard and the first login Basic settings
Supported web browsers The structure of the web interface Network settings Configuring date and time System logging, SNMP and e-mail alerts Configuring system monitoring on SPS Data and configuration backups Archiving Cleaning up audit data Using plugins Forwarding data to third-party systems Starling integration
User management and access control
Login settings Managing One Identity Safeguard for Privileged Sessions (SPS) users locally Setting password policies for local users Managing local user groups Managing One Identity Safeguard for Privileged Sessions (SPS) users from an LDAP database Authenticating users to a RADIUS server Authenticating users with X.509 certificates Authenticating users with SAML2 Managing user rights and usergroups Creating rules for restricting access to search audit data Displaying the privileges of users and user groups Listing and searching configuration changes
Managing One Identity Safeguard for Privileged Sessions (SPS)
Controlling One Identity Safeguard for Privileged Sessions (SPS): reboot, shutdown Managing One Identity Safeguard for Privileged Sessions (SPS) clusters Managing a High Availability One Identity Safeguard for Privileged Sessions (SPS) cluster Upgrading One Identity Safeguard for Privileged Sessions (SPS) Managing the One Identity Safeguard for Privileged Sessions (SPS) license Accessing the One Identity Safeguard for Privileged Sessions (SPS) console Sealed mode Out-of-band management of One Identity Safeguard for Privileged Sessions (SPS) Managing the certificates used on One Identity Safeguard for Privileged Sessions (SPS)
General connection settings HTTP-specific settings ICA-specific settings MSSQL-specific settings RDP-specific settings SSH-specific settings Using Sudo with SPS Telnet-specific settings VMware Horizon View connections VNC-specific settings Indexing audit trails Using the Search interface Advanced authentication and authorization techniques Reports The One Identity Safeguard for Privileged Sessions (SPS) REST API One Identity Safeguard for Privileged Sessions (SPS) scenarios Troubleshooting One Identity Safeguard for Privileged Sessions (SPS)
Network troubleshooting Gathering data about system problems Viewing logs on One Identity Safeguard for Privileged Sessions (SPS) Changing log verbosity level of One Identity Safeguard for Privileged Sessions (SPS) Collecting logs and system information for error reporting Collecting logs and system information of the boot process for error reporting Support hotfixes Status history and statistics Troubleshooting a One Identity Safeguard for Privileged Sessions (SPS) cluster Understanding One Identity Safeguard for Privileged Sessions (SPS) RAID status Restoring One Identity Safeguard for Privileged Sessions (SPS) configuration and data VNC is not working with TLS Configuring the IPMI from the BIOS after losing IPMI password Incomplete TSA response received Using UPN usernames in audited SSH connections
Using SPS with SPP Configuring external devices Using SCP with agent-forwarding Security checklist for configuring One Identity Safeguard for Privileged Sessions (SPS) Jumplists for in-product help Configuring SPS to use an LDAP backend Glossary

Creating a cluster

Create a cluster by promoting a One Identity Safeguard for Privileged Sessions (SPS) node to the role of the Central Management node. Next, join additional nodes to the cluster as described in Joining to a cluster.

NOTE: You can also promote a node through the REST API. For details, see Promote a SPS node to be the Central Management node in a new cluster in the REST API Reference Guide.

Prerequisite

Enable the cluster interface on all nodes that you want to be part of your cluster. For details, see Enabling cluster management. If no cluster interface is enabled, then clicking Basic Settings > Cluster Management results in the following pop-up dialog appearing:

Figure 114: Basic Settings > Cluster management — No cluster interface configured

If this happens, click Go to Local Services to open Basic Settings > Local Services > Cluster Interface, and enable a cluster interface. After that, click Basic Settings > Cluster management again.

To create a cluster by promoting a node to Central management role

  1. Navigate to Basic Settings > Cluster management. The main Cluster management window appears, allowing you to either join the node to an existing cluster, or create a new one.

    Figure 115: Basic Settings > Cluster management — Join and create cluster options

  2. Click Create a cluster to open the node promotion window.

    Figure 116: Basic Settings > Cluster management — Promote node to Central management role to create cluster

  3. On the Promoting to Central management role dialog, click Promote to promote the node to Central management role, and create the cluster.

    NOTE: You cannot undo or modify this action later.

    The promotion status is indicated in the Cluster status row above the Promoting to Central Management role window.

Once the node is promoted, the Cluster management window is displayed, with the now-promoted Central management node listed in the screen.

Figure 117: Basic Settings > Cluster management — Cluster management dialog on the Central management node

Using this screen, you can join additional nodes to the cluster. For details on how to do that, see Joining to a cluster.

Joining to a cluster

To join additional One Identity Safeguard for Privileged Sessions (SPS) nodes to a cluster, generate a join token on the node that you want to add to the cluster, and then use that token on the Central management node to finish adding the node to the cluster.

Caution:

Configuration options that you set on a node before joining it to the cluster will be overwritten by the configuration of the Central management node. For example, policies and protocol-specific settings will be overwritten once you assign the Managed host role to the node. Managed host roles periodically fetch the configuration of the Central management node and merge it into their own. This is called configuration synchronization.

To avoid the loss of policies and settings that are specific to your Managed host node, use a configuration synchronization plugin. Such plugins enable you to limit the scope of configuration synchronization.

For more information, see Configuration synchronization across nodes in a cluster.

NOTE: You can also join additional nodes to your cluster through the REST API, too. For details, see Join node(s) to the cluster in the REST API Reference Guide.

Prerequisite

Enable the cluster interface on all nodes that you want to be part of your cluster. For details, see Enabling cluster management. If no cluster interface is enabled, then clicking Basic Settings > Cluster Management results in the following pop-up dialog appearing:

Figure 118: Basic Settings > Cluster management — No cluster interface configured

If this happens, click Go to Local Services to open Basic Settings > Local Services > Cluster Interface, and enable a cluster interface. After that, click Basic Settings > Cluster management again.

To join additional nodes to a cluster by generating and using join tokens

  1. Navigate to Basic Settings > Cluster management. The main Cluster management window appears, allowing you to either join the node to an existing cluster, or create a new one.

    Figure 119: Basic Settings > Cluster management — Join and create cluster options

  2. Click Join to cluster to open the cluster join window.

    Figure 120: Basic Settings > Cluster management — Join to cluster window

  3. On the Join to cluster dialog, in the Central node address field, enter the IP address of the Central management node of the cluster you want to join.

    TIP: You can check the IP address on the Basic Settings > Cluster management screen of the Central management node.

  4. Click Join. A confirmation dialog appears. Click Join to cluster again in the dialog to proceed.

    NOTE: Once you click Join to cluster, you cannot undo the join process, and you will not be able to promote the node you are currently configuring to a Central management role later. However, you will still be able to change the IP address of the Central management node in the Central Node Address field, if needed.

  5. A window with a join token appears.

    Figure 121: Basic Settings > Cluster management — Join token used to join a cluster

    Click Copy token to copy the join token to the clipboard.

  6. On the Central management node of the cluster you want to join, navigate to Basic Settings > Cluster management, and click Add new node.

    Figure 122: Basic Settings > Cluster management — Cluster management dialog on the Central management node

  7. The Add new node dialog appears.

    Figure 123: Basic Settings > Cluster management — Add new node dialog

    Paste the token in the Join Token field, then click Add node.

Once the node joined the cluster, it is displayed in the list of nodes on the Basic Settings > Cluster management window of the Central management node.

Figure 124: Basic Settings > Cluster management — New node indicated on the Cluster management node

At the same time, on the node that you joined to the cluster, the Basic Settings > Cluster management page shows the IP address of the Central management node of the cluster.

Figure 125: Basic Settings > Cluster management — Join status indicated on the node that newly joined to the cluster

If you want to centrally manage the configuration of the node(s) you have joined to the cluster, assign the Managed host role to them. For details, see Assigning roles to nodes in your cluster.

Assigning roles to nodes in your cluster

By default, nodes do not have any roles assigned to them. The only exception is the Central management node, which you specifically promoted to fulfill that role. To assign a role to a node in the cluster, complete the following steps.

To assign roles to nodes in your cluster

  1. On the web interface of your Central management node, navigate to Basic Settings > Cluster management. This page displays all nodes in the cluster.

  2. Click at the right side of the row of the node that node that you want to update. The node row is expanded, showing the node address and the available roles.

  3. Select the role that you want to assign to the node. For details on what each role means, see Cluster roles.

    Caution:

    Configuration options that you set on a node before joining it to the cluster will be overwritten by the configuration of the Central management node. For example, policies and protocol-specific settings will be overwritten once you assign the Managed host role to the node. Managed host roles periodically fetch the configuration of the Central management node and merge it into their own. This is called configuration synchronization.

    To avoid the loss of policies and settings that are specific to your Managed host node, use a configuration synchronization plugin. Such plugins enable you to limit the scope of configuration synchronization.

    For more information, see Configuration synchronization across nodes in a cluster.

    NOTE: When assigning search roles, consider the following:

    • Ensure that each node has a search role.
    • Ensure that each node has only one search role.
    • You must assign the Search master role before you can assign Search minion roles.

    Figure 126: Basic Settings > Cluster management — Assigning the Search local role to the selected node

  4. Click Update to apply the selected roles. The role you assigned (in this case, the Search local role) is then displayed next to the node, under the Roles column.

    Figure 127: Basic Settings > Cluster management — Search local role is assigned to node

    You can assign roles to your nodes through the REST API, too. For details, see Assign a role to a node in the REST API Reference Guide.

Configuration synchronization across nodes in a cluster

Nodes fetch their configuration from the Central management node, and merge it into their own configuration. Depending on their role, nodes may merge the whole configuration into their own (Managed host nodes), or only the cluster-specific parts (nodes with no roles assigned). Whenever a configuration change is made on the Central management node and the change is committed, it is synchronized to all nodes in the cluster as soon as the nodes fetch the latest configuration from the Central management node.

Configuration synchronization in One Identity Safeguard for Privileged Sessions (SPS) has some implications for the SSH keys (if any) that have been recorded on your nodes before they were joined to the cluster. For details, see Configuration synchronization and SSH keys.

In some cases, you may want to keep certain parts of the configuration on your nodes outside the scope of configuration synchronization. In that case, use a configuration synchronization plugin. For more information, see Using a configuration synchronization plugin.

The following configuration settings are never overwritten by configuration synchronization, even when not using a configuration synchronization plugin:

  • Settings related to networking (Basic Settings > Network).
  • Settings related to local services (Basic Settings > Local Services).
  • Settings related to the management of SPS (Basic Settings > Management).

For more information, see the following resources:

関連ドキュメント

The document was helpful.

評価を選択

I easily found the information I needed.

評価を選択