When sealed mode is enabled, the following settings are automatically applied:
One Identity Safeguard for Privileged Sessions (SPS) cannot be accessed remotely via SSH for maintenance.
The root password of SPS cannot be changed in sealed mode.
It is not possible to upload or delete plugins in sealed mode.
Sealed mode can be disabled only from the local console. For details, see Disabling sealed mode.
To enable sealed mode use one of the following methods:
Select the Sealed mode option during the Welcome Wizard.
Select Basic Settings > System > Sealed mode > Activate sealed mode on the SPS web interface.
Log in to SPS as root using SSH or the local console, and select Sealed mode > Enable from the console menu.
The event of disabling sealed mode is logged. The following describes how to disable sealed mode.
To disable sealed mode
Go to the One Identity Safeguard for Privileged Sessions (SPS) appliance and access the local console.
Log in as root.
From the console menu, select Sealed mode > Disable
Select Back to Main menu > Logout.
One Identity Safeguard for Privileged Sessions (SPS) 6.9.3 includes a dedicated out-of-band management interface conforming to the Intelligent Platform Management Interface (IPMI) v2.0 standards. The IPMI allows system administrators to monitor the system health of SPS and to manage the computer events remotely, independently of the operating system of SPS. SPS is accessible using the IPMI only if the IPMI is physically connected to the network.
Note that the IPMI supports only 100 Mbps Full-Duplex speed.
For details on connecting the IPMI, see "Installing the SPS hardware" in the Installation Guide.
For details on configuring the IPMI, see Configuring the IPMI from the console.
For details on using the IPMI to remotely monitor and manage SPS, see the following document:
For Safeguard Sessions Appliance 3000 and 3500, see the X9 SMT IPMI User's Guide.
Basic information about the IPMI is available also on the SPS web interface on the Basic Settings > High Availability page. The following information is displayed:
Figure 133: Basic Settings > High Availability — Information about the IPMI SPS
Hardware serial number: The unique serial number of the appliance.
IPMI IP address: The IP address of the IPMI.
IPMI subnet mask: The subnet mask of the IPMI.
IPMI default gateway: The address of the default gateway configured for the IPMI.
IPMI IP address source: Shows how the IPMI receives its IP address: dynamically from a DHCP server, or it uses a fixed static address.
The following describes how to modify the network configuration of IPMI from the console of One Identity Safeguard for Privileged Sessions (SPS).
SPS is accessible using the IPMI only if the IPMI is physically connected to the network. For details on connecting the IPMI, see "Installing the SPS hardware" in the Installation Guide.
|
Caution:
IPMI searches for available network interfaces during boot. Make sure that IPMI is connected to the network through the dedicated Ethernet interface before SPS is powered on. |
|
Caution: SECURITY HAZARD!
The IPMI, like all out-of-band management interfaces, has known vulnerabilities that One Identity cannot fix or have an effect on. To avoid security hazards, One Identity recommends that you only connect the IPMI to well-protected, separated management networks with restricted accessibility. Failing to do so may result in an unauthorized access to all data stored on the SPS appliance. Data on the appliance can be unencrypted or encrypted, and can include sensitive information, for example, passwords, decryption keys, private keys, and so on. For more information, see Best Practices for managing servers with IPMI features enabled in Datacenters. |
NOTE: The administrator of SPS must be authorized and able to access the IPMI for support and troubleshooting purposes in case vendor support is needed.
The following ports are used by the IPMI:
Port 22 (TCP): SSH (configurable)
Port 80 (TCP): Web (configurable)
Port 161 (UDP, TCP): SNMP (configurable)
Port 443 (TCP): Web SSL (configurable)
Port 623 (UDP): Virtual Media (configurable)
Port 5900 (TCP): IKVM Server (configurable)
Port 5985 (TCP): Wsman (configurable)
The SSH encrypted connection (port 22) works with the following properties:
Supported: |
Safeguard Sessions Appliance 3000 |
Safeguard Sessions Appliance 3500 |
---|---|---|
Ciphers |
aes128-ctr, aes256-ctr |
3des-cbc, aes128-ctr, aes128-cbc, aes256-ctr, aes256-cbc |
KEX algorithm |
curve25519-sha256, ecdh-sha2-nistp256, curve25519-sha256@libssh.org, ecdh-sha2-nistp384, diffie-hellman-group1-sha1, ecdh-sha2-nistp521, diffie-hellman-group14-sha1 |
curve25519-sha256, ecdh-sha2-nistp256, curve25519-sha256@libssh.org, ecdh-sha2-nistp384, diffie-hellman-group1-sha1, ecdh-sha2-nistp521, diffie-hellman-group14-sha1 |
MACs |
hmac-sha1, hmac-sha2-256, hmac-sha1-96, hmac-sha2-512 |
hmac-md5, hmac-sha2-256, hmac-sha1, hmac-sha2-512, hmac-sha1-96 |
HostKey algorithms |
ssh-rsa, ssh-dss |
ssh-rsa, ssh-dss |
Compression |
enabled | enabled |
SSL encrypted connections work with the following properties:
Supported: |
Safeguard Sessions Appliance 3000 |
Safeguard Sessions Appliance 3500 |
---|---|---|
TLSv1.2 |
enabled |
enabled |
TLS Fallback SCSV |
supported |
supported |
Heartbleed |
not vulnerable |
not vulnerable |
Server Ciphers |
Preferred TLSv1.2 256 bits ECDHE-RSA-AES256-GCM-SHA384 Curve P-256 DHE 256 Accepted TLSv1.2 256 bits ECDHE-RSA-AES256-SHA384 Curve P-256 DHE 256 Accepted TLSv1.2 256 bits DHE-RSA-AES256-GCM-SHA384 DHE 2048 bits Accepted TLSv1.2 256 bits DHE-RSA-AES256-SHA256 DHE 2048 bits Accepted TLSv1.2 256 bits AES256-GCM-SHA384 Accepted TLSv1.2 256 bits AES256-SHA256 Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-GCM-SHA256 Curve P-256 DHE 256 Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-SHA256 Curve P-256 DHE 256 Accepted TLSv1.2 128 bits DHE-RSA-AES128-GCM-SHA256 DHE 2048 bits Accepted TLSv1.2 128 bits DHE-RSA-AES128-SHA256 DHE 2048 bits Accepted TLSv1.2 128 bits AES128-GCM-SHA256 Accepted TLSv1.2 128 bits AES128-SHA256 |
Preferred TLSv1.2 256 bits ECDHE-RSA-AES256-GCM-SHA384 Curve P-256 DHE 256 Accepted TLSv1.2 256 bits ECDHE-RSA-AES256-SHA384 Curve P-256 DHE 256 Accepted TLSv1.2 256 bits DHE-RSA-AES256-GCM-SHA384 DHE 2048 bits Accepted TLSv1.2 256 bits DHE-RSA-AES256-SHA256 DHE 2048 bits Accepted TLSv1.2 256 bits AES256-GCM-SHA384 Accepted TLSv1.2 256 bits AES256-SHA256 Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-GCM-SHA256 Curve P-256 DHE 256 Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-SHA256 Curve P-256 DHE 256 Accepted TLSv1.2 128 bits DHE-RSA-AES128-GCM-SHA256 DHE 2048 bits Accepted TLSv1.2 128 bits DHE-RSA-AES128-SHA256 DHE 2048 bits Accepted TLSv1.2 128 bits AES128-GCM-SHA256 Accepted TLSv1.2 128 bits AES128-SHA256 |
Server Key Exchange Groups |
TLSv1.2 128 bits secp256r1 (NIST P-256) |
TLSv1.2 128 bits secp256r1 (NIST P-256) |
Server Signature Algorithms |
TLSv1.2 Server accepts all signature algorithms. |
TLSv1.2 Server accepts all signature algorithms. |
To modify the network configuration of IPMI from the console of SPS
Use the local console (or SSH) to log in to SPS as root.
Choose Shells > Boot shell.
Check the network configuration of the interface:
# ipmitool lan print
This guide assumes that channel 1 is used for LAN. If your setup differs, adjust the following commands accordingly.
Configure the interface. You can use DHCP or configure a static IP address manually.
Use an IPv4 address.
To use DHCP, enter the following command:
# ipmitool lan set 1 ipsrc dhcp
To use static IP, enter the following command:
# ipmitool lan set 1 ipsrc static
Set the IP address:
# ipmitool lan set 1 ipaddr <IPMI-IP>
Set the netmask:
# ipmitool lan set 1 netmask <IPMI-netmask>
Set the IP address of the default gateway:
# ipmitool lan set 1 defgw ipaddr <gateway-IP>
Configure IPMI to use the dedicated Ethernet interface.
On the N1000, T1, T4, and T10 appliances, issue the following command:
# ipmitool raw 0x30 0x70 0xc 1 0
On the 1000d and 10000 appliances, issue the following command:
# ipmitool raw 0x30 0x70 0xc 1 1 0
Verify the network configuration of IPMI:
# ipmitool lan print 1
Use a browser to connect to the reported network address.
Change the default password:
Log in to the IPMI web interface using the default login credentials (username: ADMIN, password: ADMIN or changeme, depending on your hardware).
NOTE: The login credentials are case sensitive.
Navigate to Configure > Users.
Select ADMIN, and choose Modify User.
Change the password, and save the changes with Modify.
© 2024 One Identity LLC. ALL RIGHTS RESERVED. Terms of Use Privacy Cookie Preference Center