Chat now with support
Chat with Support

Safeguard for Privileged Passwords On Demand Hosted - Administration Guide

Introduction System requirements and versions Using API and PowerShell tools Using the virtual appliance and web management console Cloud deployment considerations Setting up Safeguard for Privileged Passwords for the first time Using the web client Getting started with the desktop client Using the desktop client Activity Center Search box Privileged access requests Toolbox Accounts Account Groups Assets
General/Properties tab (asset) Accounts tab (asset) Account Dependencies tab (asset) Owners tab (asset) Access Request Policies tab (asset) Asset Groups tab (asset) Discovered SSH Keys (asset) Discovered Services tab (asset) History tab (asset) Managing assets
Asset Groups Discovery Entitlements Linked Accounts Partitions Profiles Settings
Access Request settings Appliance settings Asset Management settings Tags Backup and Retention settings Certificates settings Cluster settings Enable or Disable Services settings External Integration settings Password Management settings Real-Time Reports Safeguard Access settings SSH Key Management settings Security Policy Settings
Users User Groups Disaster recovery and clusters Administrator permissions Preparing systems for management Troubleshooting Frequently asked questions Appendix A: Safeguard ports Appendix B: SPP 2.7 or later migration guidance Appendix C: SPP and SPS join guidance Appendix D: Regular Expressions About us

Setting the appliance name

Safeguard for Privileged Passwords automatically assigns a name to the appliance; however, you can change the name from the desktop client, Appliance Information page.

To set the appliance name

  1. Go to the page:
    • web client: Navigate to Appliance | Appliance Information.
    • desktop client: Navigate to Administrative Tools | Settings | Appliance | Appliance Information.
  2. Right of the Appliance Name, click Edit to enable the Appliance Name text box.
  3. Enter a new appliance name and click Save.

Debug

web client only

For each Safeguard for Privileged Passwords internal service, you can specify the level of logging and the external syslog server for storing debug logs. This allows for debugging in real time.

Debug logging is appliance specific. The data sent to the syslog server can include but is not limited to Support Bundle debug data. Cluster wide TLS audit event can be logged to a syslog server (see Syslog Events).

Debug logging is off by default but you can turn it on or off. Because debug logs can be sizable, you may want to turn it on for debugging a specific scenario or testing and turn it off for daily operations.

Using the API to control TLS log connection messages

Using the API, you can control if TLS log connection messages are generated to the debug logs when the TLS connection to an external server is closed. If the log level is set (see below), the event is also sent to the syslog server.

To log TLS connection information, set the NetworkDebugEnabled property from the https://<network address>/service/appliance/v3/Service/Debug endpoint to true. For more information, see Using the API.

To configure debug logs to send to a syslog server

  1. You will need a configured syslog server. If you have not configured a syslog server, you will see a message like this: To configure additional debut logging options, you need to configure a syslog server. Click Configure a syslog server. For more information, see Configuring and verifying a syslog server.
  2. If you have a syslog server configured, navigate to Appliance | Debug.
  3. Select a Syslog Server to which you want to send debug logs. The default is Do not log to syslog.
  4. In Facility, select which syslog facility to which you want to use: Kernel, User, Mail, Daemons, Authorization, or Syslog.
  5. Set the log level.

    • To set all log levels, click Set All then choose to Set All at one of the levels. This is useful to set the most common level of logging you want for most services.
    • To set an individual Service Name's log level, select next to the service to change the log level for that service.

    When you select from either the set all levels or the individual service name level, the log includes the log level selected as well as those listed below the level you selected. The information is immediately sent to the server. For example:

    • Debug (includes Debug, Information, Warning, and Error)
    • Information (includes Information, Warning, and Error)
    • Warning (includes Warning and Error)
    • Error (includes only Error)
    • None (Disabled): No logs are sent
  6. The grid displays each Service Name (enum name) that supports debug logging and the current Log Level.
    • Cick Refresh at any time to display the latest information.
    • Click Search to locate a specific service.

Enable or disable A2A and audit log stream

desktop client only. The web client includes the Audit Log Stream Service setting but not A2A; see Enable or Disable Services settings.

The Appliance Administrator can enable or disable Application to Application (A2A) and Audit Log Stream services from the desktop client. The toggle appears blue with the switch to the right ( toggle on) when the service is enabled, and gray with the switch to the left when the service is disabled ( toggle off).

Navigate to Administrative Tools | Settings | Appliance | Enable or Disable Services.

  • Application to Application Enabled toggle:
    Use this toggle to enable or disable Application to Application service. It is the responsibility of the Appliance Administrator to manage the Application to Application service. The Application to Application service is disabled by default. For more information, see Application to Application .
  • Audit Log Stream Service toggle:

    Use this toggle to send Safeguard for Privileged Passwords data to Safeguard for Privileged Sessions (SPS) to audit the Safeguard privileged management software suite. The feature is disabled by default.

    To accept SPP data, the SPS Appliance Administrator must turn on audit log syncing. For information, see the Safeguard for Privileged Sessions Administration Guide.

    SPP and SPS must be linked to use this feature. For more information, see SPP and SPS sessions appliance link guidance.

    While the synchronization of SPP and SPS is ongoing, SPS is not guaranteed to have all of the audit data at any given point due to some latency.

Factory Reset

As an Appliance Administrator, you can use the Factory Reset feature to reset a Safeguard for Privileged Passwords Appliance to recover from major problems or to clear the data and configuration settings on the appliance.

Factory reset is not an option for virtual appliances. You will need to redeploy the appliance.

Caution: Care should be taken when performing a factory reset against a physical appliance, because this operation removes all data and audit history, returning it to its original state when it first came from the factory. Performing a factory reset will NOT reset the BMC/IPMI interface or the IP address. However, the BMC/IPMI interface will need to be reenabled after the reset has completed (for more information, see Lights Out Management (BMC)).The appliance must go through configuration again as if it had just come from the factory. For more information, see Setting up Safeguard for Privileged Passwords for the first time.

In addition, performing a factory reset may change the default SSL certificate and default SSH host key.

The appliance resets to the current Long Term Support (LTS) version. For example, if you are using version 6.6 (feature release) or 6.0.6 LTS (maintenance Long Term Support release) and then factory reset, you appliance will reset down to 6.0 LTS and you will have to patch up to your current version. For more information, see Long Term Support (LTS) and Feature Releases.

Factory reset on a clustered appliance

Performing a factory reset on a clustered hardware appliance will not automatically remove the appliance from a cluster. The recommended best practice is to unjoin an appliance from the cluster before performing a factory reset on the appliance. After the unjoin and factory reset, the appliance must be configured again. For more information, see Setting up Safeguard for Privileged Passwords for the first time.

To perform a factory reset

  1. Go to Factory Reset on hardware (not virtual machine):
    • desktop client: Navigate to Administrative Tools | Settings | Appliance | Factory Reset.
  2. Click Factory Reset.
  3. In the Factory Reset confirmation dialog, enter the words Factory Reset and click OK.

    The appliance will go into Maintenance mode to revert the appliance. Once completed, you will be prompted to restart the desktop client. If the appliance was in a cluster, you may need to unjoin the factory reset appliance. The factory reset appliance must be configured again. For more information, see Setting up Safeguard for Privileged Passwords for the first time. In addition, when you log in to the appliance, you will be prompted to add your Safeguard for Privileged Passwords licenses.

You can also perform a factory reset from the Recovery Kiosk or Support Kiosk. For more information, see Performing a factory reset.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating