SSH Algorithms
The Appliance Administrator has the option to configure SSH Algorithms, if necessary, to restrict the algorithms used when connecting to any SSH server. The settings are applied whenever Safeguard for Privileged Passwords connects to any SSH server, either to connect to an asset using SSH or to connect to an archive server using SSH.
When an SSH client connects to a server, each side of the connection offers four lists of algorithms to use as connection parameters to the other side. These are:
- Public Key: The public key algorithms accepted for an SSH server to authenticate itself to an SSH client
- Cipher: The ciphers to encrypt the connection
- Kex: The key exchange methods that are used to generate per-connection keys
- MAC: The message authentication codes used to detect traffic modification
By default, Safeguard for Privileged Passwords offers all supported algorithms when using SSH to connect to an archive server or asset. For each algorithm type, you can configure Safeguard to offer a subset of the supported algorithms. To return to the default (support all algorithms), delete all algorithm information entered then save the changes.
For a successful connection, there must be at least one mutually-supported choice for each parameter. Safeguard for Privileged Passwords may initiate an SSH connection to an asset or archive server and not be able to negotiate a mutually-acceptable algorithm. An error is reported and an attempt is made to identify the algorithm type that could not be negotiated. Some SSH servers do not provide enough information to identify the algorithm type.
To identify SSH algorithms
- Navigate to SSH Algorithms:
- web client: Navigate to Appliance > SSH Algorithms.
- Click Refresh anytime to refresh the settings.
- Enter a comma separated list of the algorithms you want in the text boxes. Leave the text box blank to allow all supported algorithms.
- Public Key
- Cipher
- Kex
- Mac
- Click Save.
Adjusting the preferred order of preference for public key algorithms
By default, the list of public key algorithms supported for host keys and available for identity keys is negotiated with the SSHD server in this order of preference:
-
Ssh-ed25519,
-
ecdsa-sha2-nistp256,
-
ecdsa-sha2-nistp384,
-
ecdsa-sha2-nistp521
-
ssh-rsa
-
rsa-sha2-256
-
rsa-sha2-512
-
ssh-dss
You can change the preferred order and/or restrict the available algorithms to a subset of this list by configuring the PublicKey list using the SshAlgorithms API.
Patch Updates
It is the responsibility of the Appliance Administrator to update or upgrade Safeguard for Privileged Passwords by installing an update file to modify the software or configuration of the running appliance. See the Download Software page for available SPP releases and version patches.
If an update fails, the audit log reflects: PatchUploadFailed.
Clustered environment
Apply the patch so all appliances in the cluster are on the same version. For more information, see Patching cluster members.
To install an update file
IMPORTANT: Once you start a patch update, do not leave or refresh the page. Doing so will cause the browser to lose track of the patch update and you will have to restart the process.
-
Back up your system before you install an update file. For more information, see Backup and Restore.
- Go to Patch Updates:
- web client: Navigate to Appliance > Patch Updates.
- The current Appliance Version displays along with the operating system level, whether the appliance is online or offline, and whether the appliance is the Primary.
-
Click Upload a File and browse to select an update file. Simply uploading a file does not install the file. You must complete the next step.
If the patch verification fails an error alert displays, click on any of the Error or Warning counts to view the errors or warnings currently logged.
- Once the file has successfully uploaded, click one of the following:
- Install Now to install the update file. Respond to the confirmation dialog which includes any warnings. The install process begins and the appliance goes into maintenance mode.
Once you install an update file, you cannot uninstall it. This button is disabled until the patch is distributed to all cluster members. If this is a single-appliance cluster distribution is not required.
- Distribute to Cluster is disabled if there are errors. Click Distribute to Cluster to initiate the distribution of the patch to all cluster members. Clicking Cancel will stop distribution. Cluster Update Status blocks will be updated as each member receives the patch
- Check Errors to initiate a check of pre-patch conditions. If the patch has not been distributed or if there was an error reported during validation this will only perform the check on the local appliance. If the patch has been distributed this will perform the check on all cluster members. The same warnings may be returned from each cluster member.
- Remove is enabled when the patch is uploaded. Click Remove to remove (unstage) the patch from all cluster members.
The Updates pane shows the upgrade progress and when the appliance has been successfully upgraded.
Power
The Appliance Administrator or Operations Administrator can power down or restart an appliance from the web client or directly from the appliance itself.
|
Caution: Rebooting the appliance causes a service outage for any current users. |
You can shut down or restart your appliance from the web client. The steps follow.
To shut down an appliance
- Navigate to Appliance > Power.
- Under Power, type a Reason for shutting down the Safeguard for Privileged Passwords Appliance then click Shut Down.
- To confirm your action, enter the words Shut Down in the box and click OK.
- The Safeguard for Privileged Passwords Appliance LCD screen displays LCD service terminating.
To start up an appliance
- Navigate to Appliance > Appliance Information
- Scroll to the bottom of the dialog. Under Power, type a Reason for restarting the Safeguard for Privileged Passwords Appliance then click Restart. The appliance goes into maintenance mode. The user is informed when the restart is complete.
- To confirm your action, enter the word Restart in the box and click OK.
- The Safeguard for Privileged Passwords Appliance LCD screens display the run level status of the appliance as it is starting up. For more information, see LCD status messages.
Appliance
You can shut down or restart your appliance from the appliance itself.
Appliance: Shut down from the appliance
You can use the Red X button on the front panel of the appliance to shut it down. Press and hold the Red X button for four seconds until it displays POWER OFF.
|
Caution: Once the Safeguard appliance is booted, DO NOT press and hold the Red X button for more than 13 seconds. This will hard power off the appliance and may result in damage. |
Appliance: Restart from the appliance
After the appliance powers off, you will need physical access to start it. Press the Green check mark button on the front panel of the appliance for NO MORE than one second to power on the appliance.
|
CAUTION: Once the Safeguard appliance is booted, DO NOT press and hold the Green check mark button. Holding this button for four or more seconds will cold reset the power of the appliance and may result in damage. |
Support bundle
To analyze and diagnose issues, One Identity Support may ask the Appliance Administrator or Operations Administrator to send a support bundle containing system and configuration information.
As an alternative, you can use the Recovery Kiosk to generate and send a support bundle to a Windows share. For more information, see Recovery Kiosk (Serial Kiosk).
Virtual appliance support bundles are generate from the web management console. For more information, see Support Kiosk..
IMPORTANT: User must remain on the page until the bundle is complete. If user refreshes or navigates away from the page the back-end bundle process continues to run to completion, but the pending web request is canceled and the bundle will not be retrievable.
To create a support bundle
-
Navigate to:
- web client: Navigate to Appliance > Support Bundle.
- Select Include Event Logs if you want to include operating system events. Unless requested by support, it is recommended to leave this unchecked because it takes much longer to generate the support bundle.
- Select Limit included log files then identify the number of Days for which data should be collected.
- Click Generate Support Bundle.
- Browse to select a location to save the support bundle .zip file and click Save.
- Send the support bundle to One Identity Support. For more information, see About us.