Chat now with support
Chat with Support

One Identity Safeguard for Privileged Passwords 6.0.7 LTS - Administration Guide

Introduction System requirements and versions Using API and PowerShell tools Using the virtual appliance and web management console Cloud deployment considerations Setting up Safeguard for Privileged Passwords for the first time Using the web client Getting started with the desktop client Using the desktop client Search box Privileged access requests Toolbox Accounts Account Groups Assets Asset Groups Discovery Entitlements Partitions Settings
Access Request settings Appliance settings Asset Management settings Backup and Retention settings Certificate settings Cluster settings External Integration settings Messaging settings Profile settings Safeguard Access settings
Users User Groups Disaster recovery and clusters Administrator permissions Preparing systems for management Troubleshooting Frequently asked questions Appendix A: Safeguard ports Appendix B: SPP 2.7 or later migration guidance Appendix C: SPP and SPS join guidance Appendix D: Regular Expressions SPP glossary

Activating a read-only appliance

Appliances that have been unjoined from a Safeguard for Privileged Passwords cluster or restored from a backup are placed in a Read-only mode.

You can activate an appliance in Read-only mode so you can add, delete, and modify data, apply access request workflow, and so on.

The appliance in Read-only mode must be online in order to use the Activate task. If it is offline or the cluster does not have consensus (that is, the majority of the remaining members are offline/unable to communicate), you must use the Cluster Reset option to rebuild your cluster. For more information, see Resetting a cluster that has lost consensus.

CAUTION: Activating an appliance that is in Read-Only mode will take it out of the Read-only state and enable password check and change for managed accounts. Ensure that no other Safeguard for Privileged Passwords Appliance is actively monitoring these accounts, otherwise access to managed accounts could be lost.

To activate a read-only appliance

  1. Log in to the read-only appliance as an Appliance Administrator.

  2. In Administrative Tools, navigate to Settings | Cluster | Cluster Management.

    The cluster view (left pane) displays one primary appliance with a yellow warning icon indicating the appliance is in a Read-only mode.

  3. In the cluster view (left pane), select the read-only node to be activated.
  4. In the details view (right pane), click Activate.

  5. In the Activate confirmation dialog, enter the word Activate and click OK to proceed.

    The appliance's node in the cluster view (left pane) no longer displays the yellow warning icon and the state is now Online.

Diagnosing a cluster member

The diagnostic tools are available to an Appliance Administrator or Operations Administrator for the currently connected appliance and any other appliances (replicas) in the cluster.

To run diagnostics on a clustered appliance

  1. In Settings, select Cluster | Cluster Management.
  2. From the cluster view (left pane), select the appliance to be diagnosed.

  3. In the details pane (right pane), click Diagnose.

    The Appliance Information view displays.

  4. Select Diagnostics and choose the type of test to be performed.

    • Ping: To verify your network connectivity and response time.
    • NS Lookup: To obtain your domain name or IP address.
    • Trace Route: To obtain your router information; trace route determines the paths packets take from one IP address to another.
    • Telnet: To access remote computers over TCP/IP networks like the internet.
    • Show Routes: To retrieve routing table information.
  5. Enter the requested information in the test dialog that displays.

Patching cluster members

When an appliance update is released, apply the patch so all appliances in the cluster are on the same version. See About cluster patching for more information on how Safeguard for Privileged Passwords handles access requests and system failures during the cluster patching process.

Prior to installing an update patch to a cluster

  • Ensure all appliances in the cluster are online and healthy. Any warnings or problems should be addressed before cluster patching. The patch install process will fail if any of the cluster members are unhealthy or cannot be contacted.

    IMPORTANT: The primary appliance orchestrates the cluster upgrade; therefore, the primary appliance must stay online and have a solid network connection with all of the replica appliances in the cluster. If this cannot be reasonably assured, you should unjoin the replica appliances from the cluster, individually upgrade them, and then re-enroll them into cluster.

  • It is highly recommended to take a backup of your primary appliance before applying a patch.
  • You may want to unjoin a replica from the cluster to serve as a backup appliance. In case of a catastrophic failure, you can activate the unjoined replica to be the primary. If the cluster patching process is successful, upgrade the unjoined replica, and then re-enroll it back into the cluster.

To patch appliances in a cluster

IMPORTANT: The following procedure applies to Safeguard for Privileged Passwords Appliances running version 2.1.x and later. If you need to patch appliances running an earlier version, you will need to unjoin replica appliances, install the patch on each appliance, and then enroll the replica appliances to rebuild your cluster. For more information, see Patching cluster members in the One Identity Safeguard for Privileged Passwords 2.0 Administration Guide.

  1. Log in to the primary appliance, as an Appliance Administrator.
  2. In Administrative Tools, select Settings | Appliance | Updates.

  3. Click Upload a File and browse to select an update file.

    The patch will be uploaded and distributed to all of the appliances in the cluster.

    NOTE: If you make changes to the cluster, such as adding a new replica, while a patch is staged, the update file must be distributed to the new cluster member before the patch install process can begin. Safeguard for Privileged Passwords will not allow the patch install process to begin until all of the cluster members report that they have the update file stored locally.

    NOTE: Clicking the Cancel button during the distribution process stops the distribution of the update file to the replicas. At this point, you can click one of the following buttons:

    • Remove to remove the update file from all of the appliances in the cluster
    • Distribute to Cluster to continue distributing the update file to each replica in the cluster

  4. Once the file has been successfully distributed to all of the replicas in the cluster, click the Install Now button.

    The primary appliance will go into Maintenance mode to begin the update operation. Once the primary appliance is successfully updated, Safeguard for Privileged Passwords will perform the update operation on each replica, one at a time. During an update operation, the cluster will be locked so that no other cluster operations can interfere with the update operation. Once the update operation is completed on all cluster members, the cluster will automatically unlock so normal operations can resume.

    The Cluster view (Settings | Cluster | Cluster Management) shows that an update operation is in progress and the cluster members that are locked, awaiting to install the update file.

    In addition, the Updates view (Settings | Appliance | Updates) shows the cluster members involved in the update operation and the progress as cluster members are successfully updated.

About cluster patching

The following information provides insight into how Safeguard for Privileged Passwords processes access requests during the cluster patching process. It also describes what happens if a cluster member loses power or network connectivity during the patching process.

Service guarantees

During a cluster upgrade, the cluster is split logically into the current version (side A) and the upgrade version (side B). Access request workflow is only enabled on one side at a time. Audit logs run on both sides and merge when the cluster patch completes. Initially, access request workflow is only enabled on side A, and replicas in PatchPending state can perform access requests. As appliances upgrade and move to side B, the access workflow migrates to side B when side B has a majority of the appliances. At this point in the upgrade process, replicas in PatchPending state can no longer perform access requests; however, all of the upgraded cluster members can perform access requests. There is a small window where access request workflow is unavailable as the data migrates from one side to the other.

Failure scenarios

If the primary appliance loses power or loses network connectivity during the upgrade process, it will try to resume the upgrade on restart.

If a replica is disconnected or loses power during an upgrade process, the replica will most likely go into quarantine mode. The primary appliance will skip that appliance and remove it from the cluster. This replica will need to be reset, upgraded, and then re-enrolled into the cluster manually to recover.

Configuration for password check out

The policy may be configured such that a password reset is required before the password can be checked out again. If that is the case, the following can be temporarily configured prior to cluster patching and access request to allow for password check out when a password has not been reset.

  • The policy can be set to allow multiple accesses.
  • The policy can be set to not require a password change at check in.
  • Emergency requests can be allowed so the user does not have to wait for the password to be reset.
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating