Chat now with support
Chat with Support

Safeguard for Privileged Passwords On Demand Hosted - Administration Guide

Introduction System requirements and versions Using API and PowerShell tools Using the virtual appliance and web management console Cloud deployment considerations Setting up Safeguard for Privileged Passwords for the first time Using the web client Getting started with the desktop client Using the desktop client Activity Center Search box Privileged access requests Toolbox Accounts Account Groups Assets
General/Properties tab (asset) Accounts tab (asset) Account Dependencies tab (asset) Owners tab (asset) Access Request Policies tab (asset) Asset Groups tab (asset) Discovered SSH Keys (asset) Discovered Services tab (asset) History tab (asset) Managing assets
Asset Groups Discovery Entitlements Linked Accounts Partitions Profiles Settings
Access Request settings Appliance settings Asset Management settings Tags Backup and Retention settings Certificates settings Cluster settings Enable or Disable Services settings External Integration settings Password Management settings Real-Time Reports Safeguard Access settings SSH Key Management settings Security Policy Settings
Users User Groups Disaster recovery and clusters Administrator permissions Preparing systems for management Troubleshooting Frequently asked questions Appendix A: Safeguard ports Appendix B: SPP 2.7 or later migration guidance Appendix C: SPP and SPS join guidance Appendix D: Regular Expressions About us

Setting up the virtual appliance

The Appliance Administrator uses the initial setup wizard to give the virtual appliance a unique identity, license the underlying operating system, and configure the network. The initial setup wizard only needs to be run one time after the virtual appliance is first deployed, but you may run it again in the future. It will not modify the appliance identity if run in the future.

Once set up, the Appliance Administrator can change the appliance name, license, and networking information, but not the appliance identity (ApplianceID). The appliance must have a unique identity.

The steps for the Appliance Administrator to initially set up the virtual appliance follow.

Step 1: Make adequate resources available

The virtual appliances default deploy does not provide adequate resources. The minimum resources required are: 4 CPUs, 10GB RAM, and a 500GB disk. Without adequate disk space, the patch will fail and you will need to expand disk space then re-upload the patch.

Step 2: Deploy the VM

Deploy the virtual machine (VM) to your virtual infrastructure. The virtual appliance is in the InitialSetupRequired state.

Hyper-V zip file import and set up

If you are using Hyper-V, you will need the Safeguard Hyper-V zip file distributed by One Identity to setup the virtual appliance. Follow these steps to unzip the file and import:

  1. Unzip the Safeguard-hyperv-prod... zip file.
  2. From Hyper-V, click Options.
  3. Select Action, Import Virtual Machine.
  4. On the Locate Folder tab, navigate to specify the folder containing the virtual machine to import then click Select Folder.
  5. On the Locate Folder tab, click Next.
  6. On the Select Virtual Machine tab, select Safeguard-hyperv-prod....
  7. Click Next.
  8. On the Choose Import Type tab, select Copy the virtual machine (create a new unique ID).
  9. Click Next.
  10. On the Choose Destination tab, add the locations for the Virtual machine configuration folder, Checkpoint store, and Smart Paging folder.
  11. Click Next.
  12. On the Choose Storage Folders tab, identify Where do you want to store the imported virtual hard disks for this virtual machine?.
  13. Click Next.
  14. Review the Summary tab, then click Finish.
  15. In the Settings, Add Hardware, connect to Safeguard's MGMT and X0 network adapter.
  16. Right-click on the Safeguard-hyperv-prod... and click Connect... to complete the configuration and connect.

Step 3: Initial access

Initiate access using one of these methods:

  • Via a virtual display: Connect to the virtual display of the virtual machine. You will not be offered the opportunity to apply a patch with this access method. Upload and download are not available from the virtual display. Continue to step 3. If you are using Hyper-V, make sure that Enhanced Session Mode is disabled for the display. See your Hyper-V documentation for details.
  • Via a browser: Configure the networking of your virtual infrastructure to proxy https://192.168.1.105 on the virtual appliance to an address accessible from your workstation then open a browser to that address. For instructions on how to do this, consult the documentation of your virtual infrastructure (for example, VMWare). You will be offered the opportunity to apply a patch with this access method. Upload and download are available from the browser. Continue to step 3.

    IMPORTANT: After importing the OVA and before powering it on, check the VM to make sure it doesn't have a USB controller. If there is a USB controller, remove it.

Step 4: Complete initial setup

Click Begin Initial Setup. Once this step is complete, the appliance resumes in the Online state.

Step 5: Log in and configure Safeguard for Privileged Passwords

  1. If you are applying a patch, check your resources and expand the disk space, if necessary. The minimum resources are: 4 CPUs, 10GB RAM, and a 500GB disk.
  2. To log in, enter the following default credentials for the Bootstrap Administrator then click Log in.
    • User Name: admin
    • Password: Admin123

  3. If you are using a browser connected via https://192.168.1.105, the Initial Setup pane identifies the current Safeguard version and offers the opportunity to apply a patch. Click Upload Patch to upload the patch to the current Safeguard version or click Skip. (This is not available when using the Safeguard Virtual Kiosk virtual display.)
  4. In the web management console on the Initial Setup pane, enter the following.
    1. Appliance Name: Enter the name of the virtual appliance.
    2. Windows Licensing: Select one of the following options:
      • Use KMS Server: If you leave this field blank, Safeguard will use DNS to locate the KMS Server automatically. For the KMS Server to be found, you will need to have defined the domain name in the DNS Suffixes.

        If KMS is not registered with DNS, enter the network IP address of your KMS server.

      • Use Product Key: If selected, your appliance will need to be connected to the internet for the necessary verification to add your organization's Microsoft activation key.

        You can update this information in Administrative Tools | Settings | Appliance | Operating System Licensing. For more information, see Operating System Licensing.

    3. NTP: Complete the Network Time Protocol (NTP) configuration.
      • Select Enable NTP to enable the protocol.
      • Identify the Primary NTP Server IP address and, optionally, the Secondary NTP Server IP address.
    4. Network (X0): For the X0 (public) interface, enter the IPv4 and/or IPv6 information, and DNS Servers information. Directory or network scans are supported for IPv4 but not IPv6.
  5. Click Save. The virtual appliance displays progress information as it configures Safeguard, the network adapter(s), and the operating system licensing.
  6. When you see the message Maintenance is complete, click Continue.

Step 6: Access the desktop client or use the web client

You can go to the virtual appliance's IP address for the X0 (public) interface from your browser:

Step 7: Change the Bootstrap Administrator's password

For security reasons, change the password on the Bootstrap Administrator User. For more information, see Setting a local user's password.

Step 8. After clustering, change the trusted servers, CORS, and redirects setting

As a best practice, after you have created your Safeguard for Privileged Passwords cluster (or if just using a single VM), change the Trusted Servers, CORS and Redirects setting to the empty string or a list of values to integration applications you wish to allow. For more details, see the Safeguard for Privileged Passwords Administration Guide, Trusted Servers, CORS and Redirects.

View or change the virtual appliance setup

You can view or change the virtual appliance setup.

  • From the web management console, click Home to see the virtual appliance name, licensing, and networking information.
  • After the first setup, Safeguard for Privileged Passwords updates and networking changes can be made via the web management console by clicking Setup.

Virtual appliance backup and recovery

Use the following information to back up and recover a Safeguard for Privileged Passwords virtual appliance. Factory reset is not an option for virtual appliances. To factory reset a virtual appliance, just redeploy the appliance.

Backing up the virtual appliance

To ensure security of the hardware appliance, backups taken from a hardware appliance cannot be restored on virtual appliances and backups taken from a virtual appliance cannot be restored on a hardware appliance.

Backup is handled via Administrative Tools | Settings | Backup and Retention. For more information, see Backup and Retention settings.

Recovery of the virtual appliance

A Safeguard for Privileged Passwords virtual appliance is reset by using the following recovery steps.

On-prem virtual appliance (for example, Hyper-V or VMware)

  1. Redeploy the virtual appliance and run Initial Setup. For more information, see Setting up the virtual appliance.
  2. Restore the backup. For more information, see Backup and Retention settings.

Cloud virtual appliance (for example, AWS or Azure)

  1. Redeploy using the deployment steps:

Support Kiosk

An Appliance Administrator triaging a Hyper-V or VMware virtual appliance that has lost connectivity or is otherwise impaired can use the Support Kiosk even when the virtual appliance is in quarantine. For more information, see What do I do when an appliance goes into quarantine.

It is recommended that terminal settings be 90 x 45 or larger. Smaller settings may result in a error like: Screen dimension to small. Also, the desktop client works the best at a resolution of 1024 x 768 or higher.

When using the Windows Kiosk it is not possible to copy and paste. In Hyper-V it is possible to automate typing text from the keyboard, and using full ESX it may be possible to emulate keypresses via the API call PutUsbScanCodes().

  1. On the web management console, click Support Kiosk.
  2. Select any of the following activities:
    • Appliance Information

      This is read-only. You can re-run setup to change networking information.

    • Power Options
      You can reboot or shutdown the virtual appliance.
      1. Enter the reason you want to reboot or shutdown the virtual appliance.
      2. Click Reboot or Shutdown.
    • Admin Password Reset

      The Bootstrap Administrator is a built-in account to get the appliance running for the first time. The default credentials (admin/Admin123) should be changed once Safeguard is configured. If you lose the password, you can reset it to the default using the challenge response process below.

      Challenge response process

      1. In Full Name or Email, enter your name or email to receive the challenge question.
      2. Click Get Challenge.
      3. To get the challenge response, perform one of the following (see the illustration that follows).
        • Click Copy Challenge. The challenge is copied to the clipboard. Send that challenge to Safeguard support. Support will send back a challenge response that is good for 48 hours. Do not refresh your screen.
        • Screenshot the QR code and send it to Support. Support will send back a challenge response that is good for 48 hours.

          Do not navigate away from the page or refresh during a challenge response operation. Doing so will invalidate the challenge response and you will need to restart the process.

        • Use a QR code reader on your phone to get the challenge response.

      d. After the response is accepted, click Reset Password. Once the operation has completed, the password for the admin account will be defaulted back to Admin123.

    • Support Bundle
      A support bundle includes system and configuration information sent to One Identity Support to analyze and diagnose issues. You can download a support bundle or save the bundle to a Windows share location which you have already set up. To generate a support bundle:
      1. Select Include Event Logs if you want to include operating system events. Unless requested by support, it is recommended to leave this unchecked because it takes much longer to generate the support bundle.
      2. Create the support bundle using one of these methods:

        • If you are connected via the browser not the display, you can click Download, navigate to the location for the download, and click OK.
        • To copy the bundle to the share:
          1. Enter the UNC Path, Username, and Password.
          2. Select Include Event Logs, if appropriate.
          3. Click Copy To Share. A progress bar displays. The operation is complete when you see The bundle was successfully copied to the share.
    • Diagnostic package

      Appliance Administrators can execute a trusted, secure appliance diagnostics package to help solve issues with configuration, synchronization, and clustering, as well as other other internal challenges. The appliance diagnostics package is available from the web Support Kiosk, not the Serial Kiosk (Recovery Kiosk). The appliance diagnostics package can be used even when the appliance is in quarantine. To protect against external threats, Safeguard rejects illegitimate appliance diagnostics packages. The manifest file in the appliance diagnostics package lists criteria that may include the minimum Safeguard version, appliance ID, and expiration time-stamp UTC. New product code and database changes are not included in an appliance diagnostics package.

      1. To load for the first time, click Upload, select the file that has an .sgd extension, then click Open.
        • If the upload criteria is not met, the appliance diagnostics package is not uploaded and a message like the following displays: The minimum Safeguard version needed to run this diagnostic package is <version>.
        • If the upload is successful, the Diagnostic Package Information displays with a Status of Staged. Select Execute and wait until the Status changes to Completed.
      2. Once uploaded, you can:
        • Select Download Log to save the log file. Audit log entries are available through the Activity Center during and after execution and are part of the appliance history.
        • If the Expiration Date has not passed, you can select Execute to execute the appliance diagnostics package again.
        • Select Delete to delete the appliance diagnostics package, the associated log file, and stop any appliance diagnostics package that is running. Before uploading a different appliance diagnostics package, you must delete the current one because there can be only one appliance diagnostics package per appliance.
    • Factory Reset (hardware appliance)

      Perform a factory reset to recover from major problems or to clear the data and configuration settings on a hardware appliance. All data and audit history is lost and the hardware appliance goes into maintenance mode. For more information, see Performing a factory reset.

      A virtual appliance is reset by the recovery steps to redeploy and not a factory reset. If you are attached to the console of a virtual machine, you will not have the Factory Reset option. The options are only available for hardware.

    • Lights Out Managment (BMC) (hardware appliance)
      The Lights Out Management feature allows you to remotely manage the power state and serial console to Safeguard for Privileged Passwords using the baseboard management controller (BMC). When a LAN interface is configured, this allows the Appliance Administrator to power on an appliance remotely or to interact with the Recovery Kiosk.

      For more information, see Lights Out Management (BMC).

Cloud deployment considerations

Safeguard for Privileged Passwords can be run from the cloud.

Before you start: platforms and resources

When setting up a virtual environment, carefully consider the configuration aspects such as CPU, memory availability, I/O subsystem, and network infrastructure to ensure the virtual layer has the necessary resources available. See One Identity's Product Support Policies for more information on environment virtualization.

Platforms that have been tested with the cloud deployments follow.

For these deployments, the minimum resources used in test are 4 CPUs, 10GB RAM, and a 60GB disk. Choose the appropriate machine and configuration template. For example, when you click Create in the Azure Marketplace, default profiles display. You can click Change size to choose a different template.

Restricting access to the web management kiosk for cloud deployments

The web management kiosk runs on port 9337 in AWS and Azure and is intended for diagnostics and troubleshooting by Appliance Administrators.

CAUTION: The Management web kiosk is available via HTTPS port 9337 for cloud platforms (including AWS and Azure). The Management web kiosk gives access to functions without authentication, such as pulling a support bundle or rebooting the appliance. In AWS, all ports are denied unless explicitly allowed. To deny access to port 9337, the port should be left out of the firewall rules. If the port is used, firewall rules should allow access to targeted users.

Azure: Block port 9337

Use the following steps to block access to port 9337 in Azure.

  1. Navigate to the virtual machine running Safeguard for Privileged Passwords.
  2. In the left hand navigation menu select Networking.
  3. Click Add inbound port rule.
  4. Configure the inbound security rule as follows:
    Source: Any
    Source port ranges: *
    Destination: Any
    Destination port ranges: 9337
    Protocol: Any
    Action: Deny
    Priority: 100 (use the lowest priority for this rule)
    Name: DenyPort9337
  5. Click Add.

AWS: Block port 9337

Use the following steps to block access to port 9337 in AWS.

  1. From the EC2 Dashboard, navigate to the EC2 Instance running Safeguard for Privileged Passwords.
  2. Select the instance.
  3. In the Description tab, locate the Security groups field then click the name of the security group.
  4. Select the Inbound tab.
  5. Click Edit.
  6. Remove any existing rules and add the following rules:
    • Type: Custom TCP Rule
      Protocol: TCP
      Port Range: 655
      Source: Anywhere
      Description: Cluster VPN
    • Type: Custom UDP Rule
      Protocol: UDP
      Port Range: 655
      Source: Anywhere
      Description: Cluster VPN
    • Type: HTTPS
      Protocol: TCP
      Port range: 443
      Source: Anywhere
      Description: Web API
    • Type: Custom TCP Rule
      Protocol: TCP
      Port Range: 8649
      Source: Anywhere
      Description: SPS Cluster
  7. Click Save.
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating