The Email Events page is used for adding and managing the subscribers that receive emails for specific Safeguard for Privileged Passwords events.
Go to Email Events:
- web client: Navigate to External Integration > Email Events.
The Email Events pane displays the following about the subscribers defined.
Table 48: Email Events: Properties
Subscriber |
The name of the email event recipient. |
Description |
The description of the email event. |
Shared |
This column displays a check mark if all Appliance Administrators will see information on the email event subscription on their Email Events page. |
# of Events |
The number of events sent in the email. |
Use these toolbar buttons to manage the email event subscribers
Table 49: Email Event: Toolbar
Add |
Add a new email event subscriber. For more information, see Add an email event. |
Remove |
Remove the selected email event from Safeguard for Privileged Passwords. |
Edit |
Modify the email event. |
Copy |
Clone the selected email event. |
Show System Owned/
Hide System Owned |
Use these buttons to either display or hide system owned email events from list. |
Refresh |
Update the list of email events. |
Send Test Event |
To send a test message. |
It is the responsibility of the Appliance Administrator to add an event.
To add an email event
- Navigate to External Integration > Email Event.
- Click Add to display the Email Events Subscription dialog.
-
In the Email Events Subscription dialog, enter the following:
-
Email Address: Enter the email address of the recipient or use the Browse button.
- Description: Enter the description of the event.
-
Subscribe to All Events: Select this check box to subscribe to all events, including new events that may be added in the future. If unselected, select specific events.
Make sure that the user creating the event has sufficient permission to receive all of the events configured. If the event is configured by a user with inadequate permissions to receive all the events that are configured, some events may not be received. If this happens, delete the email event and recreate it as a user that has sufficient permission.
-
If you left Subscribe to All Events unselected, click Browse then select the check boxes of the Events to which you want to subscribe You can enter characters then click Search to limit the events that are displayed. Click OK.
- Click OK.
Safeguard for Privileged Passwords provides default email templates for most events, such as Cluster Primary Quorum Fails or Access Request Denied. Each event type triggers an email notification that uses the template.
Go to Email Templates:
- web client: Navigate to External Integration > Email Templates.
Use these toolbar buttons to manage email templates.
Table 50: Email template: Toolbar
Reset |
Reset the selected template to the default. |
Edit |
Modify the selected email template. |
Refresh |
Update the list of email templates. |
Search |
To locate a specific template, enter the character string to be used to search for a match. For more information, see Search box.. |
Macro properties
Each event type supports specific macros in the template that are appropriate for that type of event. When editing a template, you can click Insert Event Property to select properties to insert into the text of the Subject line or Body using keywords surrounded by double braces. For example, you may select the following event properties in the Subject of your email:
Access Policy Created {{EventDescription}} {{PolicyId}}
Safeguard for Privileged Passwords ignores macros that are not supported by the event type. Unsupported macros appear blank in the email preview. Additionally, a warning message like the following may displays: Invalid format for BodyTemplate property.
To edit an email template
Modify an email template to change any information except the Event type. If you later want to revert to the original template, you can select the template then click Reset . To modify an email template, use the following steps.
- Go to Email Templates:
- web client: Navigate to External Integration > Email Templates.
- In the Email Template grid, select the template to modify and click. Edit.
-
Event: For more information, see Enabling email notifications..
-
Subject: Edit the subject line for the email message.
As you type, click Insert Event Property Macro to insert predefined text into the subject line. For example, you may create the following subject line:
Approval is required for {{Requester}}'s request
where Safeguard for Privileged Passwords generates the data defined by the macro within the double braces.
Limit: 1024 characters
-
Reply to: Enter the email address of the person to reply to concerning this notification.
Limit: 512 characters
-
Body: Enter the body of the message.
As you type, click Insert Event Property Macro to insert predefined text into the body. For example, you may create the following body for an email template:
{{Requester}} has requested the password for {{AccountName}} on {{AssetName}}
where Safeguard for Privileged Passwords generates the data defined by the macro within the double braces.
Limit: 16384 characters
- Preview Email: Select this link to display the Preview Email dialog so you can see how your email message will look.
- Click OK. The updated template is added to the Email Template grid.
- If you want to return to the default, select the email template then click Reset.
It is the responsibility of the Appliance Administrator to configure Safeguard for Privileged Passwords to integrate with an external Hardware Security Module for encryption.
Use the Hardware Security Module pane to configure the Hardware Security Module integration. The following Hardware Security Modules are supported:
Go to Hardware Security Module:
- web client: Navigate to Appliance Management > External Integration > Hardware Security Module.
Before you start
Before configuring the Hardware Security Module integration, the Thales Luna environment needs to be fully installed and configured. This includes but is not limited to:
-
Setting the Crypto Officer password.
-
Generating the Hardware Security Module server certificate(s) (network Luna only).
-
Generating a Hardware Security Module client certificate for each Safeguard for Privileged Password clustered appliance (network Luna only).
-
Initializing a partition.
-
Creating any high availability groups Safeguard for Privileged Passwords will utilize.
Safeguard for Privileged Passwords will require the following information to configure the integration:
-
Crypto Officer password
-
Server certificate(s) (network Luna only)
-
Client certificate(s) (network Luna only)
-
Partition label (can be high availability group label)
-
crystoki.ini file
If you are configuring an integration that includes a network Luna device, first install and assign the Hardware Security Module client and server certificates for your environment. For more information, see Installing a Hardware Security Module client certificate, Assigning a Hardware Security Module client certificate, and Uploading a Hardware Security Module server certificate.
IMPORTANT: Connection to network Luna devices is only supported through a Network Trust Links (NTLs) connection. Secure Trusted Channel (STC) connections are not supported when integrating with Safeguard for Privileged Passwords.
|
CAUTION: It is best practice to only enable or disable a Hardware Security Module integration on a standalone Safeguard for Privileged Passwords appliance. The encrypted data stored within the Safeguard for Privileged Passwords appliance will be re-encrypted during these operations. If enabling or disabling in a clustered environment, the cluster will be broken and the primary Safeguard for Privileged Passwords appliance will be set to a standalone appliance and all replica’s will need to be rejoined to the cluster after the maintenance task has been completed. During this time ensure that no operations that use encrypted data, such as password check and change are performed on the replica appliances to avoid data corruption. |
|
CAUTION: Safeguard for Privileged Passwords will use a reserved label for the encryption key stored on the Hardware Security Module partition. These labels cannot exist on the partition when doing an integration for the first time. The reserved key label name is:
SafeguardMasterKey1 |
|
CAUTION: When configuring an integration that includes network Luna devices, ensure all client and server certificates have been installed on the primary Safeguard for Privileged Passwords appliance for all future cluster members. In addition, install and assign the required client certificates on the replicas prior to joining the cluster. |
To configure the Hardware Security Module integration
-
Go to Hardware Security Module:
-
Select the Use External HSM checkbox.
-
In the Partition Label field, enter the partitional label Safeguard for Privileged Passwords should use on the Hardware Security Module device.
-
Enter the Crypto Officer password Safeguard for Privileged Passwords should use to connect to the Hardware Security Module device.
-
Click Upload File and browse for the crystoki.ini configuration file.
-
Once selected, click Open.
-
Click Save.
NOTE: If there is an error with Safeguard for Privileged Passwords ability to move forward with the integration based on the provided configuration, a message displays in the user interface with further information.
Once you have finished configuring the Hardware Security Module integration, the following information and options will be available:
Table 51: Hardware Security Module: Properties
Health Status |
Displays the results of the last Hardware Security Module verification. |
Refresh |
Runs a Hardware Security Module verification. This can be used to transition a Safeguard for Privileged Passwords appliance out of the HardwareSecurityModuleError state. |
Last Successful Access Date |
The date and time of the last Healthy Hardware Security Module status. |
Show Details |
Shows the current crystoki.ini contents being used for the Hardware Security Module integration. |
To disable the Hardware Security Module integration
-
Go to Hardware Security Module:
-
Deselect the Use External HSM checkbox.
-
Click Save.