Chat now with support
Chat with Support

One Identity Safeguard for Privileged Passwords 7.1 - Administration Guide

Introduction System requirements and versions Using API and PowerShell tools Using the virtual appliance and web management console Cloud deployment considerations Setting up Safeguard for Privileged Passwords for the first time Using the web client Home Privileged access requests Appliance Management
Appliance Backup and Retention Certificates Cluster Enable or Disable Services External Integration Real-Time Reports Safeguard Access Appliance Management Settings
Asset Management
Account Automation Accounts Assets Partitions Discovery Profiles Tags Registered Connectors Custom platforms
Security Policy Management
Access Request Activity Account Groups Application to Application Cloud Assistant Asset Groups Entitlements Linked Accounts User Groups Security Policy Settings
User Management Reports Disaster recovery and clusters Administrator permissions Preparing systems for management Troubleshooting Frequently asked questions Appendix A: Safeguard ports Appendix B: SPP and SPS join guidance Appendix C: Regular Expressions About us

Hardware Security Module

It is the responsibility of the Appliance Administrator to configure Safeguard for Privileged Passwords to integrate with an external Hardware Security Module for encryption.

Use the Hardware Security Module pane to configure the Hardware Security Module integration. The following Hardware Security Modules are supported:

  • Thales Luna 7.X

  • Thales Luna 6.X

  • Thales Data Protection on Demand

Go to Hardware Security Module:

  • web client: Navigate to Appliance Management > External Integration > Hardware Security Module.
Before you start

Before configuring the Hardware Security Module integration, the Thales Luna environment needs to be fully installed and configured. This includes but is not limited to:

  • Setting the Crypto Officer password.

  • Generating the Hardware Security Module server certificate(s) (network Luna only).

  • Generating a Hardware Security Module client certificate for each Safeguard for Privileged Password clustered appliance (network Luna only).

  • Initializing a partition.

  • Creating any high availability groups Safeguard for Privileged Passwords will utilize.

Safeguard for Privileged Passwords will require the following information to configure the integration:

  • Crypto Officer password

  • Server certificate(s) (network Luna only)

  • Client certificate(s) (network Luna only)

  • Partition label (can be high availability group label)

  • crystoki.ini file

If you are configuring an integration that includes a network Luna device, first install and assign the Hardware Security Module client and server certificates for your environment. For more information, see Installing a Hardware Security Module client certificate, Assigning a Hardware Security Module client certificate, and Uploading a Hardware Security Module server certificate.

IMPORTANT: Connection to network Luna devices is only supported through a Network Trust Links (NTLs) connection. Secure Trusted Channel (STC) connections are not supported when integrating with Safeguard for Privileged Passwords.

CAUTION: It is best practice to only enable or disable a Hardware Security Module integration on a standalone Safeguard for Privileged Passwords appliance. The encrypted data stored within the Safeguard for Privileged Passwords appliance will be re-encrypted during these operations. If enabling or disabling in a clustered environment, the cluster will be broken and the primary Safeguard for Privileged Passwords appliance will be set to a standalone appliance and all replica’s will need to be rejoined to the cluster after the maintenance task has been completed. During this time ensure that no operations that use encrypted data, such as password check and change are performed on the replica appliances to avoid data corruption.

CAUTION: Safeguard for Privileged Passwords will use a reserved label for the encryption key stored on the Hardware Security Module partition. These labels cannot exist on the partition when doing an integration for the first time. The reserved key label name is:

SafeguardMasterKey1

CAUTION: When configuring an integration that includes network Luna devices, ensure all client and server certificates have been installed on the primary Safeguard for Privileged Passwords appliance for all future cluster members. In addition, install and assign the required client certificates on the replicas prior to joining the cluster.

To configure the Hardware Security Module integration

  1. Go to Hardware Security Module:

    • web client: Navigate to Appliance Management > External Integration > Hardware Security Module.

  2. Select the Use External HSM checkbox.

  3. In the Partition Label field, enter the partitional label Safeguard for Privileged Passwords should use on the Hardware Security Module device.

  4. Enter the Crypto Officer password Safeguard for Privileged Passwords should use to connect to the Hardware Security Module device.

  5. Click Upload File and browse for the crystoki.ini configuration file.

  6. Once selected, click Open.

  7. Click Save.

    NOTE: If there is an error with Safeguard for Privileged Passwords ability to move forward with the integration based on the provided configuration, a message displays in the user interface with further information.

Once you have finished configuring the Hardware Security Module integration, the following information and options will be available:

Table 50: Hardware Security Module: Properties
Setting Description

Health Status

Displays the results of the last Hardware Security Module verification.

Refresh

Runs a Hardware Security Module verification. This can be used to transition a Safeguard for Privileged Passwords appliance out of the HardwareSecurityModuleError state.

Last Successful Access Date

The date and time of the last Healthy Hardware Security Module status.

Show Details

Shows the current crystoki.ini contents being used for the Hardware Security Module integration.

To disable the Hardware Security Module integration

  1. Go to Hardware Security Module:

    • web client: Navigate to Appliance Management > External Integration > Hardware Security Module.

  2. Deselect the Use External HSM checkbox.

  3. Click Save.

SNMP

Simple Network Management Protocol (SNMP) is an Internet-standard protocol for managing devices on IP networks. Safeguard for Privileged Passwords allows you to configure SNMP subscriptions for sending SNMP traps to your SNMP console when certain events occur.

Go to SNMP:

  • web client: Navigate to External Integration > SNMP.

The SNMP pane displays the following about the SNMP subscribers defined.

Table 51: SNMP: Properties
Property Description
Network Address The IP address or FQDN of the primary SNMP network server.
Port The UDP port number for SNMP traps.
Version The SNMP version being used.
Description The description of the SNMP subscriber.
Community The SNMP community string being used by the SNMP subscriber.
# of Events The number of events selected to be sent to the SNMP console.

Use these toolbar buttons to manage the SNMP subscriptions.

Table 52: SNMP: Toolbar
Option Description
Add Add a new SNMP subscription. For more information, see Configuring SNMP subscriptions.
Remove

Remove the selected SNMP subscription.

Edit Modify the selected SNMP subscription.
Copy SNMP Template Clone the selected SNMP subscription.
Refresh Update the list of SNMP subscriptions.

Configuring SNMP subscriptions

It is the responsibility of the Appliance Administrator to configure Safeguard for Privileged Passwords to send SNMP traps to your SNMP console when certain events occur.

You can create a test to verify the SNMP configuration. For more information, see Verifying SNMP configuration.

To download Safeguard for Privileged Passwords MIB-module definitions from your appliance, enter the following URL into your web browser; no authentication is required:

https://<Appliance IP address>/docs/mib/SAFEGUARD-MIB.mib

To configure SNMP subscriptions

  1. Go to SNMP:
    • web client: Navigate to External Integration > SNMP.
  2. Click Add to open the SNMP subscription configuration dialog.
  3. Provide the following information:
    • Network Address: Enter the IP address or FQDN of the primary SNMP network server. Limit: 255 characters
    • UDP Port: Enter the UDP port number for SNMP traps. Default: 162
    • Description: Enter the description of the SNMP subscriber. Limit: 255 characters
    • Subscribe to All Events: Select this check box to subscribe to all events.
    • Events: Available when Subscribe to All Events is not selected, click Browse to select one or more SNMP event types. Use the Clear icon to remove an individual event from this list and select Remove All to clear all events from the list. The SNMP pane displays the number of events that you select, not the names of the events.
    • Version: Choose the SNMP version. Default: Version 2. Depending on the version selected, the following fields appear:
      • Version 1 and Version 2:
        • Community: Enter the SNMP community string, such as public. The SNMP community string is like a user ID, password that allows access to a device's statistics, such as a router. A PRTG Network Monitor sends the community string along with all SNMP requests. If the community string is correct, the device responds with the requested information. If the community string is incorrect, the device simply discards the request and does not respond.

  4. Click OK.

Verifying SNMP configuration

Use the Send Test Event link located under the SNMP table to send a test event to verify the SNMP configurations.

To validate your setup

  1. Go to SNMP:
    • web client: Navigate to External Integration > SNMP.
  2. When configuring your SNMP subscription, on the SNMP dialog, add the test event to your event subscription. For more information, see Configuring SNMP subscriptions.
  3. On the SNMP settings pane:
    1. Select the SNMP configuration from the table.
    2. Click Send Test Event. Safeguard for Privileged Passwords sends a test event notification to your SNMP console.
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating