지금 지원 담당자와 채팅
지원 담당자와 채팅

One Identity Safeguard for Privileged Passwords 7.0 LTS - Administration Guide

Introduction System requirements and versions Using API and PowerShell tools Using the virtual appliance and web management console Cloud deployment considerations Setting up Safeguard for Privileged Passwords for the first time Using the web client Home Privileged access requests Appliance Management
Appliance Backup and Retention Certificates Cluster Enable or Disable Services External Integration Real-Time Reports Safeguard Access
Asset Management
Account Automation Accounts Assets Partitions Discovery Profiles Tags Registered Connectors Custom platforms
Security Policy Management
Access Request Activity Account Groups Application to Application Cloud Assistant Asset Groups Entitlements Linked Accounts User Groups Security Policy Settings Reasons
User Management Reports Disaster recovery and clusters Administrator permissions Preparing systems for management Troubleshooting Frequently asked questions Appendix A: Safeguard ports Appendix B: SPP and SPS join guidance Appendix C: Regular Expressions About us

Run Now

You can click Run Now to manually trigger and create a new backup. If password or GNU Privacy Guard (GPG) encryption is set for appliance or on the primary appliance for cluster-wide encryption, those encryption settings are enforced when you select Run Now.

If you have selected Send to archive server, the backup will be sent to the archive server. For more information, see Backup settings.

To create a new backup

  1. Navigate to Backup and Restore:
    • web client: Navigate to Backup and Retention | Backup and Restore.
  2. Click  Run Now. In the web client, an Adding backup file progress bar displays to let you know the process is Running.
  3. If password encryption is required on an appliance or a primary appliance for cluster-wide backup encryption, you are prompted to enter the password. If encryption is set, make sure the password or private GPG key is available for restoring the backup later, if necessary. For more information see, Backup and restore, Backup protection settings.
  4. Verify that the Safeguard Backup File (.sgb) has been created.

Caution: If you restore a backup that is older than the Maximum Password Age set in the Local Login Control settings, all user accounts (including the bootstrap administrator) will be locked out and you will have to reset all of the user account passwords. To avoid this situation, you can reset the Maximum Password Age to zero before you perform the backup, then reset it after the restore.

TIP: As a best practice, perform backups more frequently than the Maximum Password Age setting.

Caution: Safeguard for Privileged Passwords can not restore any access request workflow events in process at the time of a backup.

CAUTION: When restoring a backup that was created with a Hardware Security Module integration in place, the encryption key used at the time of the backup creation needs to still be present and accessible by the Safeguard for Privileged Passwords appliance. If not, the appliance will not be able to verify the Hardware Security Module configuration used to encrypt the data in the backup. You will be allowed to continue with the restore, however the Safeguard for Privileged Passwords appliance will most likely Quarantine in the process, so this is not recommended.

Download a backup

Safeguard for Privileged Passwordsallows you to save a selected backup file in a location on your computer. Safeguard for Privileged Passwords copies the selected backup file; it does not remove the backup from the list displayed on the Backup and Restore page. An Appliance Backup Downloaded event is generated and sent to the audit log when a backup is downloaded from the appliance. The event will note if the backup was downloaded as VM compatible. To remove a file from the list display, select the file and click Remove.

To download the backup file

  1. Go to Backup and Restore:
    • web client: Navigate to Backup and Retention | Backup and Restore.
  2. Select a backup file:

    • Download: Use this option to save the selected backup file in a location on your appliance.

    • Download VM Compatible: Use this option to download a VM compatible backup, which can then be uploaded and restored on a Safeguard virtual machine. In order to download a VM compatible backup it must have been created with password or GPG public key protection settings. This is only available on hardware appliances once Authorize VM Compatible Backups has been requested and approved.

      IMPORTANT: You cannot upload a backup to hardware that has been downloaded from hardware as VM compatible.

  3. The .sgb file is downloaded to the browser's Download folder as defined in the browser settings. The file has a name similar to the following which includes the date: 946d66a4fecb4359a8b01fab75519d80_Safeguard_Backup_20200617-165625.sgb

    NOTE: There is no difference in the downloaded backup filename for regular download versus VM Compatible download.

Upload a backup

Safeguard for Privileged Passwordsallows you to retrieve a Safeguard Backup File (.sgb) from a file location and add it to the Safeguard for Privileged Passwords Backup and Restore page list for the appliance. For more information, see Restore a backup.

An Appliance Backup Uploaded event is generated and stored in the audit log when a backup is successfully uploaded to the appliance. An Appliance Backup Upload Failed event is generated and stored in the audit log when a backup upload fails on the appliance.

Backups generated and downloaded from a virtual machine can only be uploaded to a virtual machine. Backups generated and downloaded on hardware appliances can only be uploaded to a hardware appliance. Backups generated and downloaded as VM compatible on hardware appliances can only be uploaded to virtual machines.

To upload a backup file

IMPORTANT: Once you start uploading a backup, do not leave or refresh the page. Doing so will cause the browser to lose track of the upload and you will have to restart the process.

  1. If a GPG public key was used to encrypt the backup, the private key holder must decrypt the Safeguard Backup File (.sgb) before it can be uploaded to Safeguard for Privileged Passwords. For more information, see Backup protection settings.
  2. To upload Safeguard Backup File (.sgb), go to Backup and Restore:
    • web client: Navigate to Backup and Retention | Backup and Restore.
  3. Click  Upload.
  4. Browse to select the backup file and click Open. The Uploading backup file progress bar displays. When complete, the file is uploaded and is now available to be restored. For more information, see Restore a backup.

Restore a backup

Safeguard for Privileged Passwordsallows you to restore the data on your appliance with data from a selected backup. Safeguard for Privileged Passwords does not restore the appliance IP address, NTP settings, or the DNS settings.

To verify that the settings are correct after a restore, go to:

  • web client: Navigate to Appliance | Appliance Information.

There are special considerations for restoring a clustered appliance. For more information, see Using a backup to restore a clustered appliance.

Caution: If you restore a backup that is older than the Maximum Password Age set in the Local Login Control settings, all user accounts (including the bootstrap administrator) will be disabled and you will have to reset all of the user account passwords or SSH keys. If your bootstrap administrator's password is locked out, you can reset it from the Recovery Kiosk. For more information, see Admin password reset.

CAUTION: When restoring a backup that was created with a Hardware Security Module integration in place, the encryption key used at the time of the backup creation needs to still be present and accessible by the Safeguard for Privileged Passwords appliance. If not, the appliance will not be able to verify the Hardware Security Module configuration used to encrypt the data in the backup. You will be allowed to continue with the restore, however the Safeguard for Privileged Passwords appliance will most likely Quarantine in the process, so this is not recommended.

Version considerations when restoring a backup

An Appliance Administrator can restore backups as far back as Safeguard for Privileged Passwords version 6.0.0.12276. Only the data is restored; the running version is not changed.

You cannot restore a backup from a version newer than the one running on the appliance. The restore will fail and a message like the following displays: Restore failed because backup version [version] is newer then the one currently running [version].

The backup version and the running version display in the Activity Center logs that are generated when Safeguard starts, completes, or fails a restore.

To restore the Safeguard for Privileged Passwords appliance from a backup

  1. Go to Backup and Restore:
    • web client: Navigate to Backup and Retention | Backup and Restore.
  2. Select a backup. If the backup file is not listed, you can  Upload the .sgb backup file. For more information, see Upload a backup.
  3. Click Restore.
    If a problematic condition is detected, Warning for Restore of Backup displays along with details in the Restore Warnings, Warning X of X message. Click Cancel to stop the restore process and address the warning or click Continue to move to the next warning (if any) or complete the process.
  4. If the backup is protected by a password, the Protected Backup Password dialog displays. Type the password in the Enter Backup Password text box. If the password entered is not correct, the OK button is disabled and you cannot proceed. For more information, see Backup protection settings.
  5. When the Restore dialog displays, enter the word Restore in the box and click OK.

    Safeguard for Privileged Passwords automatically restarts the appliance, if necessary.

  6. After restoring from backup verify that the following are set correctly.

    • Check the archive server in the automated backup schedule. If necessary, set the correct archive server. For more information, see Archive backup.
    • Check the archive server in the session archive settings. If necessary, set the correct archive server. If you used the embedded sessions module and had an archive server configured, the archive server must be configured to play back the archived sessions.

    • If you restored a backup to a different appliance, managed networks will no longer have any assigned appliances. Password and SSH key management and discovery tasks will fail. For more information, see Managed Networks.
  7. Once the appliance is fully operational, it asks you to restart the client. All modifications to Safeguard for Privileged Passwords objects since the backup was created will be lost.

Caution: After a restore, requesters, approvers, and reviewers will not have access to any access request workflow events that were in process at the time of the backup. The Activity Center displays those workflow events as incomplete.

관련 문서

The document was helpful.

평가 결과 선택

I easily found the information I needed.

평가 결과 선택