Converse agora com nosso suporte
Chat com o suporte

One Identity Safeguard for Privileged Passwords 6.0 LTS - Administration Guide

Introduction System requirements Using the virtual appliance and web management console Cloud deployment considerations Setting up Safeguard for Privileged Passwords for the first time Search box Using the web client Installing the desktop client Using the desktop client Privileged access requests Toolbox Accounts Account Groups Assets Asset Groups Discovery Entitlements Partitions Settings
Access Request settings Appliance settings Asset Management settings Backup and Retention settings Certificate settings Cluster settings External Integration settings Messaging settings Profile settings Safeguard Access settings
Users User Groups Disaster recovery and clusters Administrator permissions Preparing systems for management Troubleshooting Frequently asked questions Appendix A: Safeguard ports Appendix B: SPP 2.7 or later migration guidance Appendix C: SPP and SPS join guidance Appendix D: Regular Expressions Appendix E: Historical changes by release Glossary

Long Term Support (LTS) and Feature Releases

Releases use the following version designations:

  • Long Term Support (LTS) Releases: The first digit identifies the release and the second is a zero (for example, 6.0 LTS).
  • Maintenance LTS Releases: A third digit is added followed by LTS (for example, 6.0.1 LTS).
  • Feature Releases: The Feature Releases are two digits (for example, 6.6).

Customers choose between two lanes for receiving releases: Long Term Support (LTS) Release or Feature Release. See the following table for details.

Table 10: Comparison of Long Term Support (LTS) Release and Feature Release
  Long Term Support (LTS) Release Feature Release
Release frequency

Frequency: Typically, every 2 years

Scope: Includes new features, resolved issues and security updates

Versioning: The first digit identifies the LTS and the second digit is a 0 (for example, 6.0 LTS, 7.0 LTS, and so on).

Frequency: Typically, every 3 months

Scope: Includes the latest features, resolved issues, and other updates, such as security patches for the OS

Versioning: The first digit identifies the LTS and the second digit is a number identifying the Feature Release (for example, 6.6, 6.7, and so on).

Maintenance Release

Frequency:Typically, every 3 months during full support

Scope: Includes critical resolved issues

Versioning: A third digit designates the maintenance LTS Release (for example, 6.0.1 LTS).

Frequency:Only for highly critical issues

Scope: Includes highly critical resolved issues

Versioning: A third digit designates the maintenance Feature Release (for example, 6.7.1).

Support

Typically 3 years after the original publication date or until the next LTS is published (whichever date is later)

Typically 6 months after the original publication date or until the next feature or LTS Release is published (whichever date is later)

Release details can be found at Product Life Cycle.

CAUTION: Downgrading from the latest Feature Release, even to an LTS release, voids support for SPP.

One Identity strongly recommends always installing the latest revision of the release path you use (Long Term Support path or Feature Release path).

Moving between LTS and Feature Release versions

You can move from an LTS version (for example, 6.0.7 LTS) to the same feature version (6.7) and then patch to a later feature version. After that, you can patch from the minimum version for the patch, typically N-3. If you move from an LTS version to a feature version, you will receive a warning like the following which informs you that you will only be able to apply a Feature Release until the next LTS Release:

Warning: You are patching to a Feature Release from an LTS Release. If you apply this update, you will not be able to upgrade to a non-Feature Release until the next LTS major release version is available. See the Administration Guide for details.

You cannot move from a Feature Release to LTS Release. For example, you cannot move from 6.7 to 6.0.7 LTS. You have to keep upgrading with each new Feature Release until the next LTS Release version is published. For this example, you would wait until 7.0 LTS is available.

Patching

You can only patch from a major version. For example, if you have version 6.6 and want to patch to 7.7, you must patch to 7.0 LTS and then apply 7.7.

An LTS major version of Safeguard for Privileged Passwords (SPP) will work with the same LTS major version of Safeguard for Privileged Sessions (SPS). For the best experience, it is recommended you keep both their SPP and SPS in sync on the latest and supported version.

Using the virtual appliance and web management console

Before you start: platforms and resources

When setting up a virtual environment, carefully consider the configuration aspects such as CPU, memory availability, I/O subsystem, and network infrastructure to ensure the virtual layer has the necessary resources available. See One Identity's Product Support Policies for more information on environment virtualization.

Platforms and versions follow.

  • You must license the VM with a Microsoft Windows license. We recommend using either the MAK or KMS method. Specific questions about licensing should be directed to your Sales Representative.

  • Supported hypervisors:
    • Microsoft Hyper-V (VHDX) version 8 or higher
    • VMware vSphere with vSphere Hypervisor (ESXi) version 6.5 or higher
    • VMware Worksation version 13 or higher

  • Minimum resources: 4 CPUs, 10GB RAM, and a 500GB disk. The virtual appliances default deploy does not provide adequate resources. Ensure these minimum resources are met.
Available wizards

The Appliance Administrator responsible for racking and initial configuration of the appliance can create the virtual appliance, launch the Safeguard web management console, and select one of the following wizards.

  • Initial Setup: Used to set up the virtual appliance for the first time including naming, OS licensing, and networking. For more information, see Setting up the virtual appliance.
  • Setup: After the first setup, Safeguard for Privileged Passwords updates and networking changes can be made via the web management console by clicking Setup.
  • Support Kiosk: The Support Kiosk is used to diagnose and resolve issues with Safeguard for Privileged Passwords. Any user able to access the kiosk can perform low-risk support operations including appliance restart or shutdown and support bundle creation. In order to reset the admin password, the user must obtain a challenge response token from One Identity support. For more information, see Support Kiosk.

Security

CAUTION: To maximize security in the absence of a hardened appliance, restrict the access to the Safeguard virtual disks, the web management console, and the MGMT interface to as few users as possible. The Management web kiosk gives access to functions without authentication, such as pulling a support bundle or rebooting the appliance.

Security recommendations follow.

  • X0 hosts the public API and is network adapter 1 in the virtual machine settings. Connect this to your internal network.
  • MGMT hosts the web management console and is network adapter 2 in the virtual machine settings. This interface always has the IP address of 192.168.1.105. Connect this to a private, restricted network accessible to administrators only, or disconnect it from the network to restrict unauthenticated actions such as rebooting or shutting down the appliance. The web management console is also available via the VMware console.

Once setup is completed, you can verify which of your NICs is MGMT and X0 by referring to the MAC address information found in Support Kiosk | Appliance Information | Networking for X0 and MGMT. For more information, see Support Kiosk.

Backups: virtual appliance and hardware appliance

To protect the security posture of the Safeguard hardware appliance, Safeguard hardware appliances cannot be clustered with Safeguard virtual appliances. Backups taken from a hardware appliance cannot be restored on virtual appliances and backups taken from a virtual appliance cannot be restored on a hardware appliance.

For more information, see Virtual appliance backup and recovery.

Upload and download

There is a web management console running on 192.168.1.105. When you connect to the virtual appliance via the virtual display, the web management console is displayed automatically, however, upload and download functionality are disabled when connected this way.

You may choose to configure the networking of your virtual machine infrastructure to enable you to proxy to https://192.168.1.105 from your desktop. Connecting in this way will enable you to upload and download from the web management console.

CAUTION: Cloning and snapshotting are not supported and should not be used. Instead of cloning, deploy a new VM and perform Initial Setup. Instead of snapshotting, take a backup of the virtual appliance.

Migrating the VM

VMware VMotion can be used for live migration of a virtual machine from one physical server to another.

Setting up the virtual appliance

The Appliance Administrator uses the initial setup wizard to give the virtual appliance a unique identity, license the underlying operating system, and configure the network. The initial setup wizard only needs to be run one time after the virtual appliance is first deployed, but you may run it again in the future. It will not modify the appliance identity if run in the future.

Once set up, the Appliance Administrator can change the appliance name, license, and networking information, but not the appliance identity (ApplianceID). The appliance must have a unique identity.

The steps for the Appliance Administrator to initially set up the virtual appliance follow.

Step 1: Make adequate resources available

The virtual appliances default deploy does not provide adequate resources. The minimum resources required are: 4 CPUs, 10GB RAM, and a 500GB disk. Without adequate disk space, the patch will fail and you will need to expand disk space then re-upload the patch.

Step 2: Deploy the VM

Deploy the virtual machine (VM) to your virtual infrastructure. The virtual appliance is in the InitialSetupRequired state.

Hyper-V zip file import and set up

If you are using Hyper-V, you will need the Safeguard Hyper-V zip file distributed by One Identity to setup the virtual appliance. Follow these steps to unzip the file and import:

  1. Unzip the Safeguard-hyperv-prod... zip file.

  2. From Hyper-V, click Options.

  3. Select Action, Import Virtual Machine.
  4. On the Locate Folder tab, navigate to specify the folder containing the virtual machine to import then click Select Folder.

  5. On the Locate Folder tab, click Next.

  6. On the Select Virtual Machine tab, select Safeguard-hyperv-prod..., then click Next.

  7. On the Choose Import Type tab, select Copy the virtual machine (create a new unique ID), then click Next.
  8. On the Choose Destination tab, add the locations for the Virtual machine configuration folder, Checkpoint store, and Smart Paging folder, then click Next.
  9. On the Choose Storage Folders tab, identify Where do you want to store the imported virtual hard disks for this virtual machine? then click Next.
  10. Review the Summary tab, then click Finish.
  11. In the Settings, Add Hardware, connect to Safeguard's MGMT and X0 network adapter.
  12. Right click on the Safeguard-hyperv-prod... and click Connect... to complete the configuration and connect.

Step 3: Initial access

Initiate access using one of these methods:

  • Via a virtual display: Connect to the virtual display of the virtual machine. You will not be offered the opportunity to apply a patch with this access method. Upload and download are not available from the virtual display. Continue to step 4. If you are using Hyper-V, make sure that Enhanced Session Mode is disabled for the display. See your Hyper-V documentation for details.
  • Via a browser: Configure the networking of your virtual infrastructure to proxy https://192.168.1.105 on the virtual appliance to an address accessible from your workstation then open a browser to that address. For instructions on how to do this, consult the documentation of your virtual infrastructure (for example, VMWare). You will be offered the opportunity to apply a patch with this access method. Upload and download are available from the browser. Continue to step 4.

    IMPORTANT: After importing the OVA and before powering it on, check the VM to make sure it doesn't have a USB controller. If there is a USB controller, remove it.

Step 4: Complete initial setup

Click Begin Initial Setup. Once this step is complete, the appliance resumes in the Online state.

Step 5: Log in and configure Safeguard for Privileged Passwords

  1. If you are applying a patch, check your resources and expand the disk space, if necessary. The minimum resources are: 4 CPUs, 10GB RAM, and a 500GB disk.
  2. To log in, enter the following default credentials for the Bootstrap Administrator then click Log in.
    • User Name: admin
    • Password: Admin123

  3. If you are using a browser connected via https://192.168.1.105, the Initial Setup pane identifies the current Safeguard version and offers the opportunity to apply a patch. Click Upload Patch to upload the patch to the current Safeguard version or click Skip. (This is not available when using the Safeguard Virtual Kiosk virtual display.)
  4. In the web management console on the Initial Setup pane, enter the following.
    1. Appliance Name: Enter the name of the virtual appliance.
    2. Windows Licensing: Select one of the following options:
      • Use KMS Server: If you leave this field blank, Safeguard will use DNS to locate the KMS Server automatically. For the KMS Server to be found, you will need to have defined the domain name in the DNS Suffixes.

        If KMS is not registered with DNS, enter the network IP address of your KMS server.

      • Use Product Key: If selected, your appliance will need to be connected to the internet for the necessary verification to add your organization's Microsoft activation key.

        You can update this information in Administrative Tools | Settings | Appliance | Operating System Licensing. For more information, see Operating system licensing.

    3. NTP: Complete the Network Time Protocol (NTP) configuration.
      • Select Enable NTP to enable the protocol.
      • Identify the Primary NTP Server IP address and, optionally, the Secondary NTP Server IP address.
    4. Network (X0): For the X0 (public) interface, enter the IPv4 and/or IPv6 information, and DNS Servers information.
  5. Click Save. The virtual appliance displays progress information as it configures Safeguard, the network adapter(s), and the operating system licensing.
  6. When you see the message Maintenance is complete, click Continue.

Step 6: Access the desktop client or use the web client

You can go to the virtual appliance's IP address for the X0 (public) interface from your browser:

Step 7: Change the Bootstrap Administrator's password

For security reasons, change the password on the Bootstrap Administrator User. For more information, see Setting a local user's password.

View or change the virtual appliance setup

You can view or change the virtual appliance setup.

  • From the web management console, click Home to see the virtual appliance name, licensing, and networking information.
  • After the first setup, Safeguard for Privileged Passwords updates and networking changes can be made via the web management console by clicking Setup.

Virtual appliance backup and recovery

Use the following information to back up and recover a Safeguard for Privileged Passwords virtual appliance. Factory reset is not an option for virtual appliances. To factory reset a virtual appliance, just redeploy the appliance.

Backing up the virtual appliance

To ensure security of the hardware appliance, backups taken from a hardware appliance cannot be restored on virtual appliances and backups taken from a virtual appliance cannot be restored on a hardware appliance.

Backup is handled via Administrative Tools | Settings | Backup and Retention. For more information, see Backup and Retention settings.

Recovery of the virtual appliance

A Safeguard for Privileged Passwords virtual appliance is reset by using the following recovery steps.

On-prem virtual appliance (for example, Hyper-V or VMware)

  1. Redeploy the virtual appliance and run Initial Setup. For more information, see Setting up the virtual appliance.
  2. Restore the backup. For more information, see Backup and Retention settings.

Cloud virtual appliance (for example, AWS or Azure)

  1. Redeploy using the deployment steps:
Documentos relacionados

The document was helpful.

Selecione a classificação

I easily found the information I needed.

Selecione a classificação