Chat now with support
Chat with Support

One Identity Safeguard for Privileged Passwords 6.0.8 LTS - Administration Guide

Introduction System requirements and versions Using API and PowerShell tools Using the virtual appliance and web management console Cloud deployment considerations Setting up Safeguard for Privileged Passwords for the first time Using the web client Getting started with the desktop client Using the desktop client Search box Privileged access requests Toolbox Accounts Account Groups Assets Asset Groups Discovery Entitlements Partitions Settings
Access Request settings Appliance settings Asset Management settings Backup and Retention settings Certificate settings Cluster settings External Integration settings Messaging settings Profile settings Safeguard Access settings
Users User Groups Disaster recovery and clusters Administrator permissions Preparing systems for management Troubleshooting Frequently asked questions Appendix A: Safeguard ports Appendix B: SPP 2.7 or later migration guidance Appendix C: SPP and SPS join guidance Appendix D: Regular Expressions SPP glossary

Web management console system requirements

Table 7: Web kiosk requirements
Component Requirements
Web management console

Desktop browsers:

  • Apple Safari 13.1 for desktop (or later)
  • Google Chrome 80 (or later)
  • Microsoft Edge 80 (or later)
  • Mozilla Firefox 69 (or later)
  • Microsoft Internet Explorer 11 (Newer features may not work with Internet Explorer. You are encouraged to upgrade to a browser that can support all functionality.)

Platforms and versions follow.

  • You must license the VM with a Microsoft Windows license. We recommend using either the MAK or KMS method. Specific questions about licensing should be directed to your Sales Representative.

  • Supported hypervisors:
    • Microsoft Hyper-V (VHDX) version 8 or higher
    • VMware vSphere with vSphere Hypervisor (ESXi) version 6.5 or higher
    • VMware Worksation version 13 or higher

  • Minimum resources: 4 CPUs, 10GB RAM, and a 500GB disk. The virtual appliances default deploy does not provide adequate resources. Ensure these minimum resources are met.

Supported platforms

One Identity Safeguard for Privileged Passwords supports a variety of platforms, including custom platforms.

Safeguard for Privileged Passwords tested platforms

The following table lists the platforms and versions that have been tested for Safeguard for Privileged Passwords (SPP). Additional assets may be added to Safeguard for Privileged Passwords. If you do not see a particular platform listed when adding an asset, use the Other, Other Managed, or Other Linux selection on the Management tab of the Asset dialog. For more information, see Management tab (add asset).

SPP joined to SPS: Sessions platforms

When Safeguard for Privileged Passwords (SPP) is joined with a Safeguard for Privileged Sessions (SPS) appliance, platforms are supported that use one of these protocols:

• SPP 2.8 or lower: RDP, SSH

• SPP 2.9 or higher: RDP, SSH, or Telnet

Some platforms may support more than one protocol. For example, a Linux (or Linux variation) platform supports both SSH and Telnet protocols.

Supported platform updates

For all supported platforms, it is assumed that the latest updates are applied.

Table 8: Supported platforms: Assets that can be managed
Platform Version Architecture (all versions unless noted)

Supports SPP

Supports SPS Access

ACF2 - Mainframe

r14, r15

zSeries

True

True

ACF2 - Mainframe LDAP

r14, r15

zSeries

True

False

Active Directory

 

 

True

False

AIX

6.1, 7.1, 7.2

PPC

True

True

Amazon Linux

2

x86_64

True

True

Amazon Web Services (AWS)

1  

True

False

CentOS Linux

6

7

(ver 6) x86, x86_64

(ver 7) x86_64

True

True

Cisco ASA

7.x, 8.x

 

True

True

Cisco IOS 12.X, 15.X  

True

True

Debian GNU/Linux

6, 7, 8, 9

x86, x86_64, MIPS, PPC, zSeries

True

True

Dell iDRAC

7, 8

 

True

True

ESXi (VSphere)

5.5, 6.0, 6.5, 6.7

 

True

False

F5 Big-IP

12.1.2, 13.0, 14.0

 

True

True

Fedora

21, 22, 23, 24, 25, 26, 27, 28, 29, 30

x86, x86_64

True

True

Fortinet FortiOS

5.2, 5.6

 

True

True

FreeBSD

10.4, 11.1, 11.2

x86, x86_64

True

True

HP iLO

2, 3, 4

x86

True

True

HP iLO MP

2, 3

IA-64

True

True

HP-UX

11iv2 (B.11.23),
11iv3 (B.11.31)

PA-RISC, IA-64

True

True

IBM i (formerly AS/400)

7.1, 7.2, 7.3

PPC

True

True

Junos - Juniper Networks

12, 13, 14, 15

 

True

True

macOS

10.9, 10.10, 10.11, 10.12, 10.13

x86_64

True

True

MongoDB

3.4, 3.6, 4.0

 

True

False

MySQL

5.6, 5.7  

True

False

OpenLDAP

2.4

 

True

False

Oracle

11g Release 2,
12c Release 1
 

True

False

Oracle Linux (OEL)

6

7

(ver 6) x86, x86_64

(ver 7) x86_64

True

True

Other

 

 

False

False

Other Linux

 

 

True

True

Other Managed

 

 

True

False

PAN-OS

6.0, 7.0, 8.0, 8.1

 

True

True

PostgreSQL

9.6, 10.2, 10.3, 10.4, 10.5

 

True

False

RACF - Mainframe

z/OS V2.1 Security Server,
z/OS V2.2 Security Server

zSeries

True

True

RACF - Mainframe LDAP

z/OS V2.1 Security Server,
z/OS V2.2 Security Server

zSeries

True

False

Red Hat Enterprise Linux (RHEL)

6, 7, 8

(ver 6) x86, x86_64, PPC, zSeries

(ver 7 and 8) x86, x86_64, PPC, zSeries

True

True

SAP HANA

2.0

Other

True

False

SAP Netweaver Application Server

7.3, 7.4, 7.5

 

True

False

Solaris

10, 11

(ver 10) SPARC, x86, x86_64

(ver 11) SPARC, x86_64

True

True

SonicOS

5.9, 6.2

 

True

False

SonicWALL SMA or CMS

11.3.0

 

True

False

SQL Server

2012, 2014, 2016, 2017, 2019

 

True

False

SUSE Linux Enterprise Server (SLES)

11

12

(ver 11) x86, x86_64, PPC, zSeries, IA-64

(ver 12) x86_64, PPC, zSeries

True

True

Sybase (Adaptive Server Enterprise)

15.7, 16

 

True

False

Top Secret - Mainframe

r14, r15

zSeries

True

True

Top Secret - Mainframe LDAP

r14, r15

zSeries

True

False

Ubuntu

14.04 LTS, 15.04, 15.10, 16.04 LTS, 16.10, 17.04, 17.10, 18.04 LTS, 18.10, 19.04

x86, x86_64

True

True

Windows

Vista, 7, 8, 8.1, 10 Enterprise (including LTSC and loT).

 

True

True

Windows Server

2008, 2008 R2, 2012, 2012 R2, 2016, 2019

 

True

True

Windows SSH

7, 8, 8.1, 10

Server 2008 R2, 2012, 2012 R2, 2016, 2019

Windows SSH Other

 

True

True

Table 9: Supported platforms: Directories that can be searched
Platform Version

Microsoft Active Directory

Windows 2008+ DFL/FFL

OpenLDAP

2.4

For all supported platforms, it is assume that you are applying the latest updates. For unpatched versions of supported platforms, Support will investigate and assist on a case by case basis but it may be necessary for you to upgrade the platform or use SPP's custom platform feature.

Custom platforms

The following example platform scripts are available:

  • Custom HTTP
  • Linux SSH
  • Telnet
  • TN3270 transports are available

For more information, see Custom platforms and Creating a custom platform script.

CAUTION: Facebook and Twitter functionality has been deprecated. Refer to the custom platform open source script provided on GitHub. Facebook and Twitter platforms will be remove in a future release.

Sample custom platform scripts and command details are available at the following links available from the Safeguard Custom Platform Home wiki on GitHub:

CAUTION: Example scripts are provided for information only. Updates, error checking, and testing are required before using them in production. Safeguard for Privileged Passwords checks to ensure the values match the type of the property that include a string, boolean, integer, or password (which is called secret in the API scripts). Safeguard for Privileged Passwords cannot check the validity or system impact of values entered for custom platforms.

Setting up the virtual appliance

The Appliance Administrator uses the initial setup wizard to give the virtual appliance a unique identity, license the underlying operating system, and configure the network. The initial setup wizard only needs to be run one time after the virtual appliance is first deployed, but you may run it again in the future. It will not modify the appliance identity if run in the future.

Once set up, the Appliance Administrator can change the appliance name, license, and networking information, but not the appliance identity (ApplianceID). The appliance must have a unique identity.

The steps for the Appliance Administrator to initially set up the virtual appliance follow.

Step 1: Make adequate resources available

The virtual appliances default deploy does not provide adequate resources. The minimum resources required are: 4 CPUs, 10GB RAM, and a 500GB disk. Without adequate disk space, the patch will fail and you will need to expand disk space then re-upload the patch.

Step 2: Deploy the VM

Deploy the virtual machine (VM) to your virtual infrastructure. The virtual appliance is in the InitialSetupRequired state.

Hyper-V zip file import and set up

If you are using Hyper-V, you will need the Safeguard Hyper-V zip file distributed by One Identity to setup the virtual appliance. Follow these steps to unzip the file and import:

  1. Unzip the Safeguard-hyperv-prod... zip file.

  2. From Hyper-V, click Options.

  3. Select Action, Import Virtual Machine.
  4. On the Locate Folder tab, navigate to specify the folder containing the virtual machine to import then click Select Folder.

  5. On the Locate Folder tab, click Next.

  6. On the Select Virtual Machine tab, select Safeguard-hyperv-prod..., then click Next.

  7. On the Choose Import Type tab, select Copy the virtual machine (create a new unique ID), then click Next.
  8. On the Choose Destination tab, add the locations for the Virtual machine configuration folder, Checkpoint store, and Smart Paging folder, then click Next.
  9. On the Choose Storage Folders tab, identify Where do you want to store the imported virtual hard disks for this virtual machine? then click Next.
  10. Review the Summary tab, then click Finish.
  11. In the Settings, Add Hardware, connect to Safeguard's MGMT and X0 network adapter.
  12. Right click on the Safeguard-hyperv-prod... and click Connect... to complete the configuration and connect.

Step 3: Initial access

Initiate access using one of these methods:

  • Via a virtual display: Connect to the virtual display of the virtual machine. You will not be offered the opportunity to apply a patch with this access method. Upload and download are not available from the virtual display. Continue to step 4. If you are using Hyper-V, make sure that Enhanced Session Mode is disabled for the display. See your Hyper-V documentation for details.
  • Via a browser: Configure the networking of your virtual infrastructure to proxy https://192.168.1.105 on the virtual appliance to an address accessible from your workstation then open a browser to that address. For instructions on how to do this, consult the documentation of your virtual infrastructure (for example, VMWare). You will be offered the opportunity to apply a patch with this access method. Upload and download are available from the browser. Continue to step 4.

    IMPORTANT: After importing the OVA and before powering it on, check the VM to make sure it doesn't have a USB controller. If there is a USB controller, remove it.

Step 4: Complete initial setup

Click Begin Initial Setup. Once this step is complete, the appliance resumes in the Online state.

Step 5: Log in and configure Safeguard for Privileged Passwords

  1. If you are applying a patch, check your resources and expand the disk space, if necessary. The minimum resources are: 4 CPUs, 10GB RAM, and a 500GB disk.
  2. To log in, enter the following default credentials for the Bootstrap Administrator then click Log in.
    • User Name: admin
    • Password: Admin123

  3. If you are using a browser connected via https://192.168.1.105, the Initial Setup pane identifies the current Safeguard version and offers the opportunity to apply a patch. Click Upload Patch to upload the patch to the current Safeguard version or click Skip. (This is not available when using the Safeguard Virtual Kiosk virtual display.)
  4. In the web management console on the Initial Setup pane, enter the following.
    1. Appliance Name: Enter the name of the virtual appliance.
    2. Windows Licensing: Select one of the following options:
      • Use KMS Server: If you leave this field blank, Safeguard will use DNS to locate the KMS Server automatically. For the KMS Server to be found, you will need to have defined the domain name in the DNS Suffixes.

        If KMS is not registered with DNS, enter the network IP address of your KMS server.

      • Use Product Key: If selected, your appliance will need to be connected to the internet for the necessary verification to add your organization's Microsoft activation key.

        You can update this information in Administrative Tools | Settings | Appliance | Operating System Licensing. For more information, see Operating system licensing.

    3. NTP: Complete the Network Time Protocol (NTP) configuration.
      • Select Enable NTP to enable the protocol.
      • Identify the Primary NTP Server IP address and, optionally, the Secondary NTP Server IP address.
    4. Network (X0): For the X0 (public) interface, enter the IPv4 and/or IPv6 information, and DNS Servers information.
  5. Click Save. The virtual appliance displays progress information as it configures Safeguard, the network adapter(s), and the operating system licensing.
  6. When you see the message Maintenance is complete, click Continue.

Step 6: Access the desktop client or use the web client

You can go to the virtual appliance's IP address for the X0 (public) interface from your browser:

Step 7: Change the Bootstrap Administrator's password

For security reasons, change the password on the Bootstrap Administrator User. For more information, see Setting a local user's password.

View or change the virtual appliance setup

You can view or change the virtual appliance setup.

  • From the web management console, click Home to see the virtual appliance name, licensing, and networking information.
  • After the first setup, Safeguard for Privileged Passwords updates and networking changes can be made via the web management console by clicking Setup.

License: hardware, virtual, expiration

One Identity Safeguard for Privileged Passwords is made up of a core set of features, such as the UI and Web Services layers, and a number of modules.

Hardware appliance

The One Identity Safeguard for Privileged Passwords 3000 Appliance and 2000 Appliance ship with the following module which requires a valid license to enable functionality:

  • Privileged Passwords

You must install a valid license for each Safeguard for Privileged Passwords module to operate. More specifically, if any module is installed, Safeguard for Privileged Passwords will show a license state of Licensed and is operational. However, depending on which models are licensed, you will see limited functionality. That is, even though you will be able to configure access requests:

  • If a Privileged Passwords module license is not installed, you will not be able to request a password release.

Virtual appliance licensing

You must license the virtual appliance with a Microsoft Windows license. We recommend using either the MAK or KMS method. Specific questions about licensing should be directed to your Sales Representative.

Privileged sessions is available via a join to Safeguard for Privileged Sessions.

The virtual appliance will not function unless the operating system is properly licensed.

License expiration notice

As an Appliance Administrator:

  • If you receive a "license expiring" notification, apply a new license using that module's Update License link:
    • (web client): Click the  Settings menu on the left then click Licensing . Click to upload a new license file.
    • (desktop client): Navigate to Administrative Tools | Settings | Appliance | Licensing. Click to upload a new license file.
  • If all licensed modules have expired, you will be prompted to add a new license when logging in to the Safeguard for Privileged Passwords desktop client.
  • If only one of the licensed modules have expired, apply a new module license by clicking in Administrative Tools | Settings | Appliance | Licensing.

As a Safeguard for Privileged Passwords user, if you get an "appliance is unlicensed" notification, contact your Appliance Administrator.

For more information on adding or updating a Safeguard for Privileged Passwords license, see Licensing.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating