Chat now with support
Chat with Support

One Identity Safeguard for Privileged Passwords 7.3 - Administration Guide

Introduction System requirements and versions Using API and PowerShell tools Using the virtual appliance and web management console Cloud deployment considerations Setting up Safeguard for Privileged Passwords for the first time Using the web client Home Privileged access requests Appliance Management
Appliance Backup and Retention Certificates Cluster Global Services External Integration Real-Time Reports Safeguard Access Appliance Management Settings
Asset Management
Account Automation Accounts Assets Partitions Discovery Profiles Tags Registered Connectors Custom platforms
Security Policy Management
Access Request Activity Account Groups Application to Application Cloud Assistant Asset Groups Entitlements Linked Accounts User Groups Security Policy Settings
User Management Reports Disaster recovery and clusters Administrator permissions Preparing systems for management Troubleshooting Frequently asked questions Appendix A: Safeguard ports Appendix B: SPP and SPS join guidance Appendix C: Regular Expressions About us

Performing a factory reset

As an Appliance Administrator, you can use the Factory Reset feature to reset a Safeguard for Privileged Passwords Appliance to recover from major problems or to clear the data and configuration settings on the appliance. A factory reset of a physical appliance may be initiated from:

  • The web client
  • The Recovery Kiosk
  • The Support Kiosk
  • Using the API

A Safeguard for Privileged Passwords virtual appliance is reset by the recovery steps to redeploy and not a factory reset. For more information, see Virtual appliance backup and recovery.

Caution: Care should be taken when performing a factory reset against a physical appliance, because this operation removes all data and audit history, returning it to its original state when it first came from the factory. Performing a factory reset will NOT reset the BMC/IPMI interface or the IP address. However, the BMC/IPMI interface will need to be reenabled after the reset has completed (for more information, see Lights Out Management (BMC)). The appliance must go through configuration again as if it had just come from the factory. For more information, see Setting up Safeguard for Privileged Passwords for the first time.

In addition, performing a factory reset may change the default SSL certificate and default SSH host key.

The appliance resets to the current Long Term Support (LTS) version. For example, if the appliance is running version 6.6 (feature release) or 6.0.6 LTS (maintenance Long Term Support release) and then factory reset, the appliance will reset down to 6.0 LTS and you will have to patch up to your desired version. For more information, see Long Term Support (LTS) and Feature Releases.

Factory reset on a clustered appliance

Performing a factory reset on a clustered hardware appliance will not automatically remove the appliance from a cluster. The recommended best practice is to unjoin an appliance from the cluster before performing a factory reset on the appliance. After the unjoin and factory reset, the appliance must be configured again. For more information, see Setting up Safeguard for Privileged Passwords for the first time.

To perform a factory reset from the web client

  1. Go to Factory Reset on hardware (not virtual machine):
    • Navigate to Appliance Management > Appliance > Factory Reset.
  2. Click Factory Reset.
  3. In the Factory Reset confirmation dialog, enter the words Factory Reset and click Factory Reset.

    The appliance will go into Maintenance mode to revert the appliance. If the appliance was in a cluster, you may need to unjoin the factory reset appliance. The factory reset appliance must be configured again. For more information, see Setting up Safeguard for Privileged Passwords for the first time. In addition, when you log in to the appliance, you will be prompted to add your Safeguard for Privileged Passwords licenses.

To perform a factory reset from the Recovery Kiosk

CAUTION: As part of the factory reset process, you will be performing a challenge response operation.

If the challenge response operation is invalidated, try restarting the process to generate a new challenge response. If that fails, contact One Identity Support for assistance.

  1. To perform a hardware factory reset, go to the Recovery Kiosk. For more information, see Recovery Kiosk (Serial Kiosk).
  2. Select Factory Reset.

  3. Press the right arrow.

  4. At Name or Email, enter your email or name and press the Tab key (or down arrow).

  5. Select Submit.

  6. At View Challenge, press the Enter key. Safeguard for Privileged Passwords produces a challenge. (If the challenge is not shown, maximize Putty.)

  7. Copy and paste the challenge into a text document and send it to One Identity Support. A challenge response is only good for 48 hours.

    IMPORTANT: Do not reboot the machine during the challenge response process.

  8. When you get the response from One Identity Support, copy and paste the response into the kiosk screen and select Factory Reset. The response is only valid for 24 hours from when it was generated by One Identity.
  9. Once the factory reset is completed the appliance will need to be reconfigured.

See the following Knowledge Base Article for details on using the MGMT network interface for factory reset: KB 232766: What are the steps to perform a factory reset from the recovery kiosk or MGMT network interface on physical devices?

To perform a factory reset from the Support Kiosk

CAUTION: As part of the factory reset process, you will be performing a challenge response operation. To avoid invalidating the challenge response, do NOT navigate away from the page or refresh.

If the challenge response operation is invalidated, try restarting the process to generate a new challenge response. If that fails, contact One Identity Support for assistance.

  1. To perform a hardware factory reset, on the web management console, click Support Kiosk. For more information, see Support Kiosk.
  2. Select Factory Reset. (This option is not available if you are attached to the console of a virtual machine. The options is only available for hardware.)
  3. Complete the challenge/response process:

    1. In Full Name or Email, enter your name or email to receive the challenge question.
    2. Click Get Challenge.
    3. To get the challenge response, perform one of the following (see the illustration that follows).
      • Click Copy Challenge. The challenge is copied to the clipboard. Send that challenge to Safeguard support. Support will send back a challenge response that is good for 48 hours.
      • Screenshot the QR code and send it to Support. Support will send back a challenge response that is good for 48 hours.

        IMPORTANT: Do not reboot the machine during the challenge response process.

      • Use a QR code reader on your phone to get the challenge response.

  4. When you get the response from One Identity Support, copy and paste the response into the kiosk screen and select Factory Reset.

Unlocking a locked cluster

In order to maintain consistency and stability, only one cluster operation can run at a time. To ensure this, Safeguard for Privileged Passwords locks the cluster while a cluster operation is running, such as enroll, unjoin, failover, patch, reset, session module join, update IP, and audit log maintenance. While the cluster is locked, changes to the cluster configuration are not allowed until the operation completes.

The lock notification displays as follows:

  • web client: The Appliance State will show a red lock icon ().

You should never cancel the cluster lock for an SPP unjoin, failover, cluster reset, restore, patch, or IP address update. Other considerations:

  • If a SPP join (enroll) is taking a long time, you may cancel it during the streaming audit data step.
  • If a patch distribution is taking a long time, you may cancel it and upload the patch to the replicas directly.
  • If an audit log synchronize operation is taking a long time, or you have reason to believe it will not complete due to a down appliance in the cluster, you may cancel it. Canceling this operation requires monitoring as detailed in Cancel Audit Log Maintenance from the Audit Log Maintenance page.
  • If an audit log archive or purge operation is taking a long time, or you have reason to believe it will not complete due to a down appliance in the cluster, you may cancel it. Canceling this operation requires monitoring as detailed in Cancel Audit Log Maintenance from the Audit Log Maintenance page.

To unlock a locked cluster

  1. Go to Cluster Management:
    • web client: Navigate to Cluster > Cluster Management.
  2. Click the lock icon in the upper right corner of the warning banner.
  3. In the Unlock Cluster confirmation dialog, enter Unlock Cluster and click OK.

    This will release the cluster lock that was placed on all of the appliances in the cluster and close the operation.

IMPORTANT: Care should be taken when unlocking a locked cluster. It should only be used when you are sure that one or more appliances in the cluster are offline and will not finish the current operation. If you force the cluster unlock, you may cause instability on an appliance, requiring a factory reset and possibly the need to rebuild the cluster. If you are unsure about the operation in progress, do NOT unlock the cluster.

Troubleshooting tips

If there is a problem with a Safeguard for Privileged Passwords cluster, follow these guidelines:

  1. Ensure that the hardware is powered on and online.
  2. Check for networking problems. For more information, see Diagnosing a cluster member.
  3. Check the events in the Activity Center as all cluster operations are logged. Errors and warnings may resolve on their own. If an error persists for more than 15 minutes, it probably won't resolve itself. Try restarting the appliance to see if the error or warning clears.
  4. Contact One Identity Support:

Appliance states

The following table lists the appliance states and what actions are available when the appliance is in a particular state.

Table 223: Appliance states
Appliance state and description Actions available

EnrollingReplica (only applies to replica appliances in a cluster)

A transitional state where a replica appliance is being added to a cluster and is not available for access. From this state, the appliance goes into Maintenance mode to complete the enroll operation.

Wait for operation to complete before logging in to appliance.

Initial Setup Required

A virtual appliance has been deployed but cannot be used until it is in the Online state.

The Appliance Administrator must run Initial Setup for the virtual appliance to move to the Online state. For more information, see Setting up the virtual appliance.

Initializing

A transitional state where the appliance is initializing to start, but is not yet available for access.

Wait for operation to complete before logging in to appliance.

Maintenance

Appliance is performing maintenance tasks and is not available for access.

Wait for maintenance tasks to complete before logging in to appliance.

LeavingCluster (only applies to replica appliances in a cluster)

A transitional state where a replica appliance is being unjoined from a cluster and is not available for access. From this state, the appliance goes into Maintenance mode to complete the unjoin operation.

Wait for operation to complete before logging in to appliance.

Offline

Appliance is not available for access.

Wait for appliance to come back online before logging in.

Offline Workflow

The appliance is not communicating with the cluster but has been either automatically or manually placed in Offline Workflow Mode to run access request workflow.

Enable Offline Workflow Mode. Once online operations are resumed, the appliance is returned to Maintenance mode. For more information, see About Offline Workflow Mode.

Online

The appliance is a primary and has consensus. Or the appliance is a replica and has both consensus and connectivity to the primary.

Log in to appliance.

In this state, access request workflow is available from all clustered appliances that are online and able to communicate.

PatchPending (only applies to replica appliances in a cluster)

Upon cluster patch, the primary appliance instructs all replicas to enter PatchPending state. The primary appliance then patches and upon completion, instructs the PatchPending replicas to install the patch one at a time.

You can log in to a replica with a PatchPending state.

You can initially perform access request workflow on a replica in PatchPending state; however, during the cluster upgrade, when the majority of the cluster members have upgraded, access request worklfow migrates from the PatchPending side of the cluster to the upgraded side of the cluster. During this time, access request workflow is unavailable on any appliance still in the PatchPending state.

PrimaryNoQuorum (only applies to the primary appliance in a cluster)

The primary appliance is in a Read-only mode while attempting to get the lease, but can't because the cluster does not have consensus. The appliance continues to attempt getting the lease and when it does, the appliance state goes back to Online.

If the appliance is powered on, you can log in to an appliance with a PrimaryNoQuorum state; however, it will be in a Read-only mode.

In this state, access request workflow is not available from the primary appliance, but may be available from other appliances in the cluster.

For example, if the primary cannot communicate with the rest of the nodes in the cluster, but the rest of the nodes can communicate between themselves (ReplicaWithQuorum state), then access request workflow will be available from these replica appliances even though it is not available from the primary appliance.

Quarantine

Appliance is broken or in an unknown state.

Requires manual intervention to recover.

Go to the Recovery Kiosk to recover. For more information, see Recovery Kiosk (Serial Kiosk).

ReplicaDisconnected (applies to replica appliances in a cluster)

A replica appliance is available for access; however, both of the following conditions apply:
    • The replica appliance cannot communicate with the primary appliance in the cluster.
    • The remaining nodes in the cluster that the replica appliance can communicate with do not have consensus.

You can log in to a replica with a ReplicaDisconnected state, but access request workflow is disabled.

If the replica appliance cannot communicate with the other nodes in the cluster, but the remaining nodes can communicate with each other, then access request workflow will be available from those appliances even though it is not available from the appliance that cannot communicate with them.

ReplicaNoQuorum (applies to replica appliances in a cluster)

A replica appliance can communicate with the primary appliance; however, the remaining nodes in the cluster do not reach consensus. Once the cluster regains consensus, the replica appliance will go into the Online state.

You can log in to a replica with a ReplicaNoQuorum state, but access request workflow is disabled.

In this state, access request workflow is not available from the primary appliance, but may be available from other replicas.

For example, in a cluster of five appliances, if the primary and a single replica cannot communicate with the remaining replicas in the cluster, but the other three replicas in the cluster can communicate between themselves (ReplicaWithQuorum state), then access request workflow will be available from the replicas that are online and communicating even though it is not available from the primary and replica that cannot communicate.

ReplicaWithQuorum (applies to replica appliances in a cluster)

A replica appliance cannot communicate with the primary appliance; however, the remaining nodes in the cluster have reached consensus.

You can log in to a replica with a ReplicaWithQuorum state. In this state, access request workflow is available from any clustered appliance that is online and able to communicate. Passwords and SSH keys can be requested and checked in. Scheduled tasks will not occur until after the cluster patching is complete. Manual check and change is not available.

The policy may be configured such that a password or SSH key reset is required before the password or SSH key can be checked out again. If that is the case, the following can be temporarily configured prior to cluster patching and access request to allow for password or SSH key check out when a password or SSH key has not been reset.

  • The policy can be set to allow multiple accesses.
  • The policy can be set to not require a password or SSH key change at check in.
  • Emergency requests can be allowed so the user does not have to wait for the password or SSH key to be reset.

TransitioningToPrimary (only applies to replica appliances in a cluster)

A transitional state where a replica appliance is being promoted to be the new primary and is not available for access.

Wait for operation to complete before logging in to appliance.

TransitioningToReplica (only applies to the primary appliance in a cluster.)

A transitional state where a primary appliance is being demoted to a replica and is not available for access.

Wait for operation to complete before logging in to appliance.

ShuttingDown

A transitional state where an appliance is shutting down and is not available for access.

Wait for appliance to come back online before logging in.

StandaloneReadOnly

State used for replicas unjoined from a cluster or a primary appliance restored from a backup. The appliance can be activated.

Log in to appliance.

See Activating a read-only appliance for how to activate a Read-only appliance so you can add, delete and modify data, apply access request workflow, and so on.

Unknown

Appliance is broken or in an unknown state.

Requires manual intervention to recover.

Go to the Recovery Kiosk to recover. For more information, see Recovery Kiosk (Serial Kiosk).

HardwareSecurityModuleError

The appliance can no longer access the configured Hardware Security Module for decryption. This state only occurs on startup or during the connection checks that run every 4 hours. During startup, any error to connect to the Hardware Security Module will cause the appliance to transition to this state. During a connection check, networking issues will not cause the appliance to transition to this state.

All Hardware Security Module related actions are available. This includes managing Hardware Security Module Client and Server certificates, updating the Hardware Security Module configuration, running cluster health checks, and running Hardware Security Module verifications.

The appliance will transition out of this state when a valid configuration exists that allows the appliance to decrypt, and either:

  • The next connection check runs (every 4 hours).

  • A Hardware Security Module verification is run, either through a cluster member health check, or through a refresh on the Hardware Security Module external integration menu.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating