Chat now with support
Chat with Support

One Identity Safeguard for Privileged Passwords 7.0.3 LTS - Administration Guide

Introduction System requirements and versions Using API and PowerShell tools Using the virtual appliance and web management console Cloud deployment considerations Setting up Safeguard for Privileged Passwords for the first time Using the web client Home Privileged access requests Appliance Management
Appliance Backup and Retention Certificates Cluster Enable or Disable Services External Integration Real-Time Reports Safeguard Access Appliance Management Settings
Asset Management
Account Automation Accounts Assets Partitions Discovery Profiles Tags Registered Connectors Custom platforms
Security Policy Management
Access Request Activity Account Groups Application to Application Cloud Assistant Asset Groups Entitlements Linked Accounts User Groups Security Policy Settings
User Management Reports Disaster recovery and clusters Administrator permissions Preparing systems for management Troubleshooting Frequently asked questions Appendix A: Safeguard ports Appendix B: SPP and SPS join guidance Appendix C: Regular Expressions About us

External Integration

The Appliance Administrator can:

  • Configure the appliance to send event notifications to various external systems.
  • Integrate with an external ticketing system or track generic ticket numbers.
  • Configure both external and secondary authentication service providers.

Go to External Integration:

  • web client: Navigate to Appliance Management > External Integration.
Table 47: External Integration settings
Setting Description
Email Where you configure Safeguard for Privileged Passwords to automatically send email notifications when certain events occur.
Email Templates

Where you configure Safeguard for Privileged Passwords email templates.

Hardware Security Module

Where you configure the Hardware Security Module integration, which allows Safeguard for Privileged Passwords to utilize an external Hardware Security Module device for encryption.

SNMP Where you configure Safeguard for Privileged Passwords to send SNMP traps to your SNMP console when certain events occur.
Starling Where you join Safeguard for Privileged Passwords to Starling to take advantage of Starling services.
Syslog Where you configure Safeguard for Privileged Passwords to send event notifications to a syslog server with details about the event.
Syslog Events

Where, using an existing syslog server, you create a subscriber and assign events.

Ticket systems Where you configure Safeguard for Privileged Passwords to integrate with your company's external ticket system or track generic tickets and not integrate with an external ticketing system.

Trusted Servers, CORS, and Redirects

Where you can restrict login redirects and Cross Origin Resource Sharing (CORS) requests to a specified list of IP addresses, host names (including DNS wildcards), and CIDR notation networks.

Email

It is the responsibility of the Appliance Administrator to configure Safeguard for Privileged Passwords to automatically send email notifications when certain events occur.

Use the Email pane to configure the SMTP server to be used for email notifications and to edit the email templates that define the content of email notifications.

Before you start

Before configuring the SMTP server, perform the following, as needed.

  • Configure the DNS Server and set up the user's email address correctly.
  • If you are using a transport layer for email authentication, it is recommended you create the certificate signing request (CSR) with SPP using the Add Certificate > Create Certificate Signing Request (CSR) option. For more information, see Creating an audit log Certificate Signing Request.

    CSRs may be installed in the following formats.

    • Install Certificate generated from CSR including:
      • DER Encoded Files (.cer, .crt, or .der)
      • PEM Encoded Files (.pem)
    • Install Certificate with Private Key including:
      • PKCS#12 (.p12 or .pfx)
      • Personal Information Exchange Files (.pfx)

To configure the SMTP Server

  1. Go to SMTP Server:
    • web client: Navigate to External Integration > Email.
  2. To configure the email notifications, enter these global settings for all emails:
    • SMTP Server Address: Enter the IP address or DNS name of the mail server. When unspecified, the email client is disabled.
      When entering an IPv6 address, you must encapsulate it in square brackets, such as [b86f:b86f:b86f:1:b86f:b86f:b86f:b86f].
      If you are using a mail exchanger record (MX record), you must specify the domain name for the mail server.
    • SMTP Port: A default port is set for SMTP which should be changed, if needed. By default, the SMTP port is 465 or, if you are using SSL/TLS, the default is port 25. The range is 1 to 65535.

    • Select one of the following to add Transport Layer Security.

      • Require STARTTLS: Select this option to connect to an SMTP server that supports the STARTTLS command to elevate the connection from text-based to TLS.
      • Require SMTPS: Select this option to immediately use TLS in its connection to the target SMTP server.
      • None: There is no transport layer security applied to emails.

      If you selected Require STARTTLS or Require SMTPS, you can select one, both, or none of the following: 

      • Verify SSL Certificate: Verify SSL Certificate: If not selected, the remote SMTP server's SSL certificate is not verified.
      • Use Client Certificate: Select this check box to present a Client Certificate during a TLS connection to the remote SMTP server.
    • User Authentication: Select an option if you want to authenticate access to the SMPT server.
      • Account: If selected, click Directory Account or Asset Account then select the account to use for authentication.
      • Password: If selected, enter the Account Name and Account Password to use for authentication.
      • None: If selected, the user will not be authenticated.
    • Send Test Email To: Enter an email address to use as the "From" address for all emails originating from the appliance. This is required if you specify the SMTP Server Address. The limit is 512 characters.

To validate your setup

Test the email setup. When you test, no emails except for the tests are handled.

  1. In Send Test Email To, enter the email address of where to send the test message.
  2. Enter the Timeout for the test email from delivery start to the email successfully being sent or the return of an error notification. Each IP address is tested and if one fails, the an error is returned for the entire process. The maximum is 255 seconds per IP check. The error logs are maintained for two days. During testing, a valid From address with an invalid To address is not delivered.
  3. Click Send Test Email. The email is sent using the configuration settings. If there is an error or timeout, a message displays in the user interface.
  4. You must check to ensure the email is delivered. If there was no message in the user interface but the email is not delivered, check the support bundle log files in the SMTPSVC1 folder. Two days of logs are maintained. For more information, see Support bundle.

Enabling email notifications

For users to receive email notifications, there are a few things you must configure properly.

To enable email notifications

  1. Users must set up their email address correctly.
    1. Local users:
      1. The Authorizer Administrator or User Administrator sets this up in the user's Contact Information. For more information, see Adding a user.

        -OR-

      2. Users set this up in their My Account settings.
    2. Directory users must have their email set in the Active Directory or LDAP domain.
  2. The Appliance Administrator must configure the SMTP server. For more information, see Email.

TIP: You can setup email subscriptions to any email event type through the API: https://<Appliance IP>/service/core/swagger/ui/index#/EventSubscribers. For more information, see Using the API.

Email Events

The Email Events page is used for adding and managing the subscribers that receive emails for specific Safeguard for Privileged Passwords events.

Go to Email Events:

  • web client: Navigate to External Integration > Email Events.

The Email Events pane displays the following about the subscribers defined.

Table 48: Email Events: Properties
Property Description

Subscriber

The name of the email event recipient.

Description The description of the email event.

Shared

This column displays a check mark if all Appliance Administrators will see information on the email event subscription on their Email Events page.

# of Events The number of events sent in the email.

Use these toolbar buttons to manage the email event subscribers

Table 49: Email Event: Toolbar
Option Description
Add Add a new email event subscriber. For more information, see Add an email event.
Remove

Remove the selected email event from Safeguard for Privileged Passwords.

Edit Modify the email event.
Copy Clone the selected email event.

Show System Owned/

Hide System Owned

Use these buttons to either display or hide system owned email events from list.

Refresh Update the list of email events.

Send Test Event

  • To send a test message.
    • Related Documents

    The document was helpful.

    Select Rating

    I easily found the information I needed.

    Select Rating