Submitting forms on the support site are temporary unavailable for schedule maintenance. If you need immediate assistance please contact technical support. We apologize for the inconvenience.
One Identity Safeguard for Privileged Sessions Hardware Installation Guide
One Identity Safeguard for Privileged Sessions Hardware Installation Guide
This document describes how to set up the One Identity Safeguard for Privileged Sessions (SPS) hardware. Refer to the following documents for step-by-step instructions:
The following describes how to install a single SPS unit.
To install a single SPS unit
Unpack SPS.
(Optional) Install SPS into a rack with the slide rails. Slide rails are available for all SPS appliances.
Connect the cables.
Connect the Ethernet cable facing your LAN to the Ethernet connector labeled as 1. This is physical interface 1 of SPS. This interface is used for the initial configuration of SPS, and for monitoring connections. (For details on the roles of the different interfaces, see Network interfaces in the Administration Guide.)
(Optional) To use SPS across multiple physical (L1) networks, you can connect additional networks using physical interface 2 (Ethernet connector 2) and physical interface 3 (Ethernet connector 3).
Connect an Ethernet cable that you can use to remotely support the SPS hardware to the IPMI interface of SPS. For details, see the following documents:
Connect the IPMI before plugging in the power cord. Failing to do so will result in IPMI failure.
Caution: SECURITY HAZARD!
The IPMI, like all out-of-band management interfaces, has known vulnerabilities that One Identity cannot fix or have an effect on. To avoid security hazards, One Identity recommends that you only connect the IPMI to well-protected, separated management networks with restricted accessibility. Failing to do so may result in an unauthorized access to all data stored on the SPS appliance. Data on the appliance can be unencrypted or encrypted, and can include sensitive information, for example, passwords, decryption keys, private keys, and so on.
NOTE: The administrator of SPS must be authorized and able to access the IPMI for support and troubleshooting purposes in case vendor support is needed.
The following ports are used by the IPMI:
Port 22 (TCP): SSH (configurable)
Port 80 (TCP): Web (configurable)
Port 161 (UDP, TCP): SNMP (configurable)
Port 443 (TCP): Web SSL (configurable)
Port 623 (UDP): Virtual Media (configurable)
Port 5900 (TCP): IKVM Server (configurable)
Port 5985 (TCP): Wsman (configurable)
(Optional) Connect the Ethernet cable connecting SPS to another SPS node to the Ethernet connector labeled as 4. This is the high availability (HA) interface of SPS. (For details on the roles of the different interfaces, see Network interfaces in the Administration Guide.)
(Optional) The Safeguard Sessions Appliance 3500 and 4000 are equipped with a dual-port SFP+ interface card labeled 5 and 6. Optionally, connect a supported SFP+ module to these interfaces.
NOTE: For a list of compatible connectors, see Linux Base Driver for 10 Gigabit Intel Ethernet Network Connection. Note that SFP transceivers encoded for non Intel hosts may be incompatible with the Intel 82599EB host chipset found in SPS.
Power on the hardware.
Change the BIOS password on the One Identity Safeguard for Privileged Sessions. The default password is ADMIN or changeme, depending on your hardware.
Change the IPMI password on the One Identity Safeguard for Privileged Sessions. The default password is ADMIN or changeme, depending on your hardware.
NOTE: Ensure that you have the latest version of IPMI firmware installed. You can download the relevant firmware from the One Identity Knowledge base.
To change the IPMI password, connect to the IPMI remote console.
NOTE: If you encounter issues when connecting to the IPMI remote console, add the DNS name or the IP address of the IPMI to the exception list (whitelist) of the Java console. For details on how to do this, see the Java FAQ entry titled How can I configure the Exception Site List?.
Following boot, SPS attempts to receive an IP address automatically via DHCP. If it fails to obtain an automatic IP address, it starts listening for HTTPS connections on the 192.168.1.1 IP address.
To configure SPS to listen for connections on a custom IP address, complete the following steps:
Access SPS from the local console, and log in with username root and password default.
Select Shells > Core shell in the Console Menu.
Change the IP address of SPS:
ifconfig eth0 <IP-address> netmask 255.255.255.0
Replace <IP-address> with an IPv4 address suitable for your environment.
Set the default gateway using the following command:
route add default gw <IP-of-default-gateway>
Replace <IP-of-default-gateway> with the IP address of the default gateway.
Type exit, then select Logout from the Console Menu.
Connect to the SPS web interface from a client machine and complete the Welcome Wizard as described in The Welcome Wizard and the first login in the Administration Guide.
Creating a High-availability (HA) node pair from different types of hardware is not possible. The primary and the secondary HA nodes have to run on the same type of hardware.
Caution:
Make sure that you upgrade SPS to version 7.1, 7.0.1 or later on an M2018 Appliance 3500 server if you want to use it together with an M2022 Appliance 3500 server in an HA node pair.
The following describes how to install SPS with high availability support.
Connect the two units with an Ethernet cable via the Ethernet connectors labeled as 4.
Power on the second unit.
Change the BIOS and IPMI passwords on the second unit. The default password is ADMIN or changeme, depending on your hardware.
Connect to the SPS web interface of the first unit from a client machine and enable the high availability mode. Navigate to Basic Settings > High Availability. Click Convert to Cluster, then reload the page in your browser.
Click Reboot Cluster.
Wait until the slave unit synchronizes its disk to the master unit. Depending on the size of the hard disks, this may take several hours. You can increase the speed of the synchronization via the SPS web interface at Basic Settings > High Availability > DRBD sync rate limit.
Recommended step. To test HA functionality, click Activate Slave on the High availability & Nodes page.
This turns the previous secondary node into the primary node. This process can take a few minutes. If the web interface is not available after the activation, contact our Support Team.
Hardware specifications
Hardware specifications
One Identity Safeguard for Privileged Sessions appliances are built on high performance, energy efficient, and reliable hardware that are easily mounted into standard rack mounts.
Table 1: Hardware specifications
Product
Redundant PSU
Processor
Memory
Capacity
RAID
IPMI
Safeguard Sessions Appliance 3000
Yes
1x Intel Xeon E3-1275 v6 3.80GHz
2 x 16 GB
4x2 TB NLSAS
LSI MegaRAID SAS 9361-4i Single
Yes
Safeguard Sessions Appliance 3500
Yes
2x Intel Xeon Silver 4110 2.1GHz
8 x 8 GB
9x2 TB NLSAS
1 x Broadcom MegaRAID SAS 9361-16i + LSI Avago CacheVault Power Module 02 (CVPM02) Kit
Yes
Safeguard Sessions Appliance 4000
Yes
1 x Intel Xeon Silver ICX 4310T @ 2.30GHz, 10C/20T
8 x 8 GB
4x20 TB SAS/SATA
1 x Broadcom 9560-8i RAID controller
1 x Broadcom CacheVault battery
Yes
The Safeguard Sessions Appliance 3500 is equipped with a dual-port 10Gbit interface. This interface has SFP+ connectors (not RJ-45) labeled 5 and 6, and can be found right of the Label 1 and 2 Ethernet interfaces. If you want faster communication, for example, in case of high data load, you can connect up to two 10Gbit network cards. These cards are not shipped with the original package and have to be purchased separately.