지금 지원 담당자와 채팅
지원 담당자와 채팅

Safeguard for Privileged Passwords On Demand Hosted - Administration Guide

Introduction System requirements and versions Using API and PowerShell tools Using the virtual appliance and web management console Cloud deployment considerations Setting up Safeguard for Privileged Passwords for the first time Using the web client Getting started with the desktop client Using the desktop client Activity Center Search box Privileged access requests Toolbox Accounts Account Groups Assets
General/Properties tab (asset) Accounts tab (asset) Account Dependencies tab (asset) Owners tab (asset) Access Request Policies tab (asset) Asset Groups tab (asset) Discovered SSH Keys (asset) Discovered Services tab (asset) History tab (asset) Managing assets
Asset Groups Discovery Entitlements Linked Accounts Partitions Profiles Settings
Access Request settings Appliance settings Asset Management settings Tags Backup and Retention settings Certificates settings Cluster settings Enable or Disable Services settings External Integration settings Password Management settings Real-Time Reports Safeguard Access settings SSH Key Management settings Security Policy Settings
Users User Groups Disaster recovery and clusters Administrator permissions Preparing systems for management Troubleshooting Frequently asked questions Appendix A: Safeguard ports Appendix B: SPP 2.7 or later migration guidance Appendix C: SPP and SPS join guidance Appendix D: Regular Expressions About us

Offline Workflow (automatic)

To reduce potential downtime, the Appliance Administrator can configure Offline Workflow Mode to be performed automatically. Offline Workflow Mode allows an appliance that has lost consensus (quorum) to operate in isolation from the cluster to process access requests using cached policy data.

To ensure the outage is not a short-lived outage, the default time before the appliance is automatically switched to Offline Workflow Mode is 15 minutes. The time threshold can be changed to five minutes or more.

If automatic Offline Workflow Mode is enabled, you can enable automatic Resume Online Workflow so the appliance automatically resumes online operations once consensus is restored. The minutes to wait after consensus is restored before automatically resuming online workflow defaults to 15 minutes. The time threshold can be changed to five minutes or more.

When Offline Workflow Mode settings are configured to run automatically, an Appliance Administrator can override the automatic settings and manually place an appliance in Offline Workflow Mode or manually restore an appliance to online workflow, as needed.

The user views status messages that clearly communicate the appliance state and the ability to request passwords and SSH keys.

For general information on Offline Workflow Mode, see About Offline Workflow Mode.

Go to Offline Workflow:

  • web client: Navigate to Cluster | Offline Workflow.
  • desktop client: Navigate to Administrative Tools | Settings | Cluster | Offline Workflow.

The Offline Workflow page displays the following information.

Table 201: Offline Workflow: Properties
Property Description

Enable Automatic Offline Workflow

  • To automatically place the appliance in Offline Workflow Mode when the appliance loses connection and cannot establish consensus.
  • Automatic Offline Workflow Threshold Minutes

    The number of minutes after consensus is lost before the appliance is automatically switched over to Offline Workflow Mode. The default is 15 minutes and can be changed to five minutes or more. The threshold set does not persist after a reboot.

    Automatic Resume Online Workflow
  • If you selected Enable Automatic Offline Workflow, you can select Automatic Resume Online Workflow so the appliance automatically resumes online operations once consensus is restored.
  • Automatic Resume Online Workflow Threshold The number of minutes after consensus is restored that the appliance is automatically switched over to online workflow. The default is 15 minutes and can be changed to five minutes or more.

    Use these toolbar buttons to define and maintain your managed networks.

    Table 202: Offline Workflow: Toolbar
    Option Description
    Refresh Updates the information displayed on the page
    Enable Offline Workflow Triggers Offline Workflow Mode
    Resume Online Operations Triggers moving the appliance from Offline Workflow Mode back to online operations

    Enable automatic Offline Workflow

    Use the Offline Workflow page to configure automatic settings to control Offline Workflow Mode. You can manually override the automatic settings. For more information, see Manually override automatic Offline Workflow.

    To configure automatic settings to control Offline Workflow Mode

    1. Go to Offline Workflow:
      • web client: Navigate to Cluster | Offline Workflow.
      • desktop client: Navigate to Administrative Tools | Settings | Cluster | Offline Workflow.
    2. On the Offline Workflow dialog, select Enable Automatic Offline Workflow so the appliance will be automatically placed in Offline Workflow Mode when the appliance loses connection and cannot establish consensus with the cluster for the specified number of minutes entered (see next step).
    3. Identify the number of Minutes after consensus is lost before the appliance is automatically switched over to Offline Workflow Mode. The Automatic Offline Workflow Threshold defaults to 15 minutes and can be changed to a minimum of five minutes or more.
    4. If you selected the first check box to enabled automatic Offline Workflow Mode, you can select Automatic Resume Online Workflow so the appliance automatically resumes online operations once consensus with the cluster is restored for the specified number of minutes entered (see next step).
    5. Identify the number of Minutes after consensus is restored that the appliance is automatically switched over to online workflow. The Automatic Resume Online Workflow Threshold defaults to 15 minutes and can be changed to a minimum of five minutes or more.
    6. Click Save (web client) or OK (desktop client).

    Manually override automatic Offline Workflow

    Use the Offline Workflow page to manually enable offline workflow or resume online operations.

    For details on either of these operations, see Manually control Offline Workflow Mode.

    Before resuming online operations, see Considerations to resume online operations.

    To manually Enable Offline Workflow

    This option is only available when the appliance has lost consensus with the cluster.

    1. Go to Enable Offline Workflow:
      • web client: Navigate to Cluster | Offline Workflow.
      • desktop client: Navigate to Administrative Tools | Settings | Cluster | Offline Workflow.
    2. Click Enable Offline Workflow to manually trigger Offline Workflow Mode.
    3. In the dialog box, type in Enable Offline Workflow and click Enter. The appliance is in Offline Workflow Mode and enters maintenance. 
    4. You can verify requests and view health checks on the Cluster Management window. For more information, see Cluster Management.

    To manually Resume Online Operations

  • This option is only available when the appliance is in Offline Workflow Mode.
    1. Go to Offline Workflow:
      • web client: Navigate to Cluster | Offline Workflow.
      • desktop client: Navigate to Administrative Tools | Settings | Cluster | Offline Workflow.
    2. Click Resume Online Operations to manually trigger moving the appliance from Offline Workflow Mode back to online operations.
    3. In the dialog box, type in Resume Online Operations and click Enter.
    4. When maintenance is complete, click Restart Desktop Client. The appliance is returned to Maintenance mode.
    5. You can verify requests and view health checks on the Cluster Management window. For more information, see Cluster Management.
  • Session Appliances with SPS link

    The Asset Administrator can link a Safeguard for Privileged Sessions (SPS) cluster to a Safeguard for Privileged Password (SPP) cluster of one appliance or more for session recording and auditing. The actual link must be between the SPP primary and the SPS cluster master. This means that the Safeguard for Privileged Sessions (SPS) cluster is aware of each node in an SPP cluster and vice-versa.

    Once linked, all sessions are initiated by the SPP appliance via an access request and managed by the SPS appliance and sessions are recorded via the Sessions Appliance.

    CAUTION: When linking your One Identity Safeguard for Privileged Sessions (SPS) deployment to your One Identity Safeguard for Privileged Passwords (SPP) deployment, ensure that the SPS and SPP versions match exactly, and keep the versions synchronized during an upgrade. For example, you can only link SPS version 6.6 to SPP version 6.6, and if you upgrade SPS to version 6.7, you must also upgrade SPP to 6.7.

    Make sure that you do not mix Long Term Supported (LTS) and feature releases. For example, do not link an SPS version 6.0 to an SPP version 6.1.

    NOTE: If you have a single node SPS cluster where the Central Management node is also the Search Master, SPP will be unable to launch sessions. There has to be at least one SPS appliance in the cluster that is capable of recording sessions. See the SPS Administration Guide, Managing Safeguard for Privileged Sessions (SPS) clusters.

    Safeguard for Privileged Passwords link guidance

    Before initiating the link, review the steps and considerations in the link guidance. For more information, see SPP and SPS sessions appliance link guidance.

    Pay attention to the roles assigned to the SPS nodes. The following caution is offered to avoid losing session playback from SPP.

    CAUTION: Do not switch the role of an SPS node from the Search Local role to Search Minion role. If you do, playback of the sessions recorded while in the Search Local role may not be played back from the SPP appliance, and may only be played back via the SPS web user interface. Recordings made with the node in Search Minion role are pushed to the Search Master node and are available for download to SPP. For details about SPS nodes and roles, see the One Identity Safeguard for Privileged Sessions Administration Guide: One Identity Safeguard for Privileged Sessions - Technical Documentation.

    Standard operating procedure after the initial link

    If you add another SPS cluster after the initial link, follow these standard operating procedures:

    1. Add link connections. See Viewing, deleting, or editing link connections later in this topic.
    2. Identify the session settings on the entitlements access request policy (SPS Connection Policy which is the IP address of the cluster master). For more information, see Creating an access request policy (desktop client).

    3. Assign the managed networks. For more information, see Managed Networks.
    4. Enable the Session Module Password Access Enabled toggle. Navigate to Settings | Access Request | Enable or Disable Services, Sessions Module
    If the SPS Central Management node is down

    SPP continues to launch sessions on the managed hosts when the SPS Central Management node is down. However, as long as the Central Management node is down, SPP cannot validate existing policies nor can it validate the SPS cluster topology. See the Safeguard for Privileged Sessions Administration Guide, Managing a High Availability One Identity Safeguard for Privileged Sessions (SPS) cluster.

    Connection deletion: soft delete versus hard delete

    Depending on your goals, you can perform a soft delete or a hard delete.

    Soft delete the connection

    When a session connection is deleted from the desktop client, the connection information is soft deleted so that a relink of the same SPS appliance can reuse the same values. This approach of soft deleting and reusing the same connection values on a relink avoids "breaking" all of the Access Request Polices that referenced the previous session connection.

    If the session connection is deleted, a caution displays when you navigate to Security Policy Management | Entitlements | Access Request Policies and go to the Security tab. For more information, see Session Settings tab (create access request policy desktop client).

    Hard delete the connection

    A hard delete can be performed to permanently remove the session connection. This is usually only done in cases where either a relink is not desired or retaining the previous session connection values is preventing an SPS appliance from linking or relinking.

    A hard delete can be performed from the API using the following steps for using PowerShell or Swagger.

    Hard delete with PowerShell

    The latest version of Safeguard PowerShell includes two cmdlets to perform the hard delete:

    split-safeguardSessionCluster -SessionMaster <name or ID of session master>

    Remove-SafeguardSessionSplitCluster -SessionMaster <name or ID of session master>

    See OneIdentity/safeguard-ps.

    Hard delete with Swagger

    1. In a browser, navigate to https://<your-ip-address>/service/core/swagger.
    2. Authenticate to the service using the Authorize button.
    3. Navigate to Cluster->GET /v3/cluster/SessionModules and click Try it out!.
    4. Identify if the unwanted session connection exists on the list:
      1. If the unwanted session connection exists in the list, then:
        1. Note the ID of the session connection.
        2. Navigate to Cluster DELETE /v3/cluster/SessionModules.
        3. Enter the ID.
        4. Click Try it out!”.
        5. Go to step 3.
      2. If the unwanted session connection does not exist in the list, then:
        1. Set the includeDisconnected parameter to true.
        2. Click Try it out!.
        3. If the unwanted session connection exists in the list, then go to step 4a to delete the entry a second time which will result in a hard delete.
    5. The process is complete and the session connection is permanently removed.
    Viewing, deleting, or editing link connections

    Once the link is complete, go to Session Appliances:

    • web client: Navigate to Cluster | Session Appliances.
    • desktop client: Navigate to Appliance Management | Cluster | Session Appliances.

    The Session Appliances pane displays the following session details.

    Table 203: Session Appliances: Properties
    Property Description

    Host Name

    The host name of the SPS appliance host cluster master.

    Network Address

    The network DNS name or IP address of the session connection.

    Description

    (optional) Descriptive text about the SPS session connection (for example, 20 on cluster - 172 primary node).

    Connection User

    The user name for Safeguard for Privileged Passwords (SPP). Do not include spaces in the user name.

    Thumbprint

    A unique hash value that identifies the certificate.

    Managed Hosts

    Other nodes in the SPS cluster identified by the managed host name and IP address. Hover over any Warning icon to see if the Managed Host is Unavailable or Unknown.

    Double-click a Host Name row to bring up the Session Module Connection dialog.

    Table 204: Session Module Connection: Properties
    Property Description

    Node ID

    The name of the Safeguard for Privileged Sessions Appliance used to authenticate the linked SPS session connection.

    Host Name

    The host name of the SPS appliance host cluster master.

    Connection Username

    The user name for Safeguard for Privileged Passwords (SPP). Do not include spaces in the user name.

    Description

    (Optional) Descriptive text about the SPS session connection (for example, 20 on cluster - 172 primary node).

    Network Address

    The network DNS name or IP address of the session connection.

    Use Host Name For Launch (not IP address)

    If checked, the connection string used to launch a session uses the host name of the SPS appliance rather than the IP address.

    Use these toolbar buttons to manage sessions.

    Table 205: Sessions Management: Toolbar
    Option Description

    Remove

    web client

    Delete Selected

    desktop client

    Remove the selected linked SPS session connection. For details on soft versus hard deletes, see Connection deletion: soft delete versus hard delete earlier in this topic.

    Edit

    Modify the selected linked SPS session connection Description or Network Address on the Session Module Connection dialog.

    Refresh

    Update the list of linked SPS session connections.

    관련 문서

    The document was helpful.

    평가 결과 선택

    I easily found the information I needed.

    평가 결과 선택