Chat now with support
Chat with Support

One Identity Safeguard for Privileged Passwords 7.4.1 - Administration Guide

Introduction System requirements and versions Using API and PowerShell tools Using the virtual appliance and web management console Cloud deployment considerations Setting up Safeguard for Privileged Passwords for the first time Using the web client Home page Privileged access requests Appliance Management
Appliance Backup and Retention Certificates Cluster Global Services External Integration Real-Time Reports Safeguard Access Appliance Management Settings
Asset Management
Account Automation Accounts Assets Partitions Discovery Profiles Tags Registered Connectors Custom platforms Importing objects
Security Policy Management
Access Request Activity Account Groups Application to Application Cloud Assistant Asset Groups Entitlements Linked Accounts User Groups Security Policy Settings
User Management Reports Disaster recovery and clusters Administrator permissions Preparing systems for management Troubleshooting Frequently asked questions Appendix A: Safeguard ports Appendix B: SPP and SPS join guidance Appendix C: Regular Expressions

Information tab (asset discovery)

Navigate to:

  • web client: Asset Management > Discovery > Assets > (add or edit a Asset Discovery job).

On the Information tab, define the directory or network information for the discovery job.

Table 133: Discovery Type
Property Description
Discovery Type

Choose a type of discovery:

  • Asset

  • Directory

  • Network

  • StarlingAgent

If you select Directory, directory assets that are shared can be discovered into any partition. Directories include Active Directory or LDAP. See Directories that can be searched in Supported platforms.

To share a directory asset, select Available for discovery across all partitions for the asset; see Management tab (add asset). If the check box is not selected, the asset is not shared and the asset will only be discovered into the partitions to which the directory asset is assigned.

Table 134: Discovery: Information properties for Asset scans
Property Description

ESX Host (RegEx)

Enter a value to limit the search to selected ESX hosts that match this regular expression.

Asset

Select an asset in the current partition to run the Asset Discovery job. An asset is only available for selection if the platform supports Local Asset Discovery.

Ignore If Not Running

Select this check box to limit the search to virtual machines that are currently running.

Table 135: Discovery: Information properties for Directory scans
Property Description
Directory

Select the Directory on which to run the Asset Discovery job.

Table 136: Discovery: Information properties for Network scans
Property Description
Enable OS Detection

This check box is selected by default, indicating that OS fingerprinting is to be used to detect the operation system being used. Clear this check box if you do not want to use the OS fingerprinting process.

Starting IP Address

Enter a starting IPv4 address. All IPv4 addresses between this IPv4 address and the IPv4 address entered in the Ending IP Address field will be included in the discovery.

NOTE: IPv6 scans are not supported.

Ending IP Address

Enter an ending IPv4 address. All IPv4 addresses between this IPv4 address and the IPv4 address entered in the Starting IP Address field will be included in the discovery.

NOTE: IPv6 scans are not supported.

Exclude IP

SPP allows you to exclude an IP address within a specified IPv4 range from the scan.

Click  Add to exclude an IP address from the scan.

Click  Delete to remove the corresponding excluded IPv4 address and include that IP address in the scan.

Asset Discovery Rules tab (asset discovery)

Navigate to:

  • web client: Asset Management > Discovery > Assets > (add or edit a Asset Discovery job).

Use the Asset Discovery Rules tab to govern the discovered assets.

Discovery details
  • Once SPP creates an asset, it will not attempt to re-create it or modify the asset if the asset is rediscovered by a different job.
  • Any SSH host keys encountered in discovery will be automatically accepted.
  • You can configure multiple rules for an Asset Discovery job. When SPP runs the Asset Discovery job, if it finds an asset with more than one rule, it applies the connection and profile settings of the first rule that discovers the asset.

To add a new Asset Discovery rule

  1. On the Asset Discovery Rules tab, click Edit.

  2. Click Add.

  3. In the New Asset Discovery Rule dialog, enter a Name up to 50 characters.

  4. You must specify at least one condition, the connection, and a profile for each rule:

    1. Under Conditions, click Add Condition (asset discovery) to add one or more Group, Constraints, LDAP Filter (for LDAP or Active Directory), or Find All. For more information, see Add Condition (asset discovery).

    2. A Connection Template is required and defaults to Use Discovered Platform (no credentials are associated). To change this, deselect the check box.

    3. On the Management tab, you can manage the profiles to govern the discovered assets.

      • The password profile:

      • You may select SSH Key Profile to select or create an SSH key profile.

      • You may select Account Discovery Job to select or create an account discovery job.

      • For Managed Network, you can select the managed network assigned for workload balancing.

    4. Use the Tags tab to add rule-based tags. To add a tag to the rule, click Add Tag and enter the tag.

  5. Click Apply to save the Asset Discovery rule.

Add Condition (asset discovery)

An Asset Discovery rule can have more than one condition, and each condition can have one or more constraints. When SPP runs the discovery job, it finds all assets that meet all of the search conditions.

Navigate to:

  • web client: Asset Management > Discovery > Assets > (add or edit Asset Discovery job) > New Asset Discovery Job dialog > Asset Discovery Rules tab > (add asset discovery rule) > New Asset Discovery Rule dialog > Conditions tab > (add condition).

To add Find All condition

  1. In the Condition dialog, in Find By, choose Find All.

    • If you are setting up an Asset Discovery job for a directory, Browse the Filter Search Location to select a container within the directory to search for assets. Select Include objects from sub containers to include objects from sub containers or clear the check box to exclude child objects from discovery.

    • If you are setting up an Asset Discovery job for an asset, you can limit the search to selected ESX hosts, and/or virtual machines that are currently running.

  2. Click Preview to test the conditions you have configured and display a list of assets SPP will find in the directory or network you specified based on the conditions entered.

  3. Click OK.

To add LDAP Filter (for LDAP or Active Directory) condition

Search base limits the search to the defined branch of the specified directory, including sub containers if that option is selected. This condition is only available for a Directory discovery job (LDAP or Active Directory directories).

  1. In the Condition dialog:

    1. Find By: Choose LDAP Filter and enter the search criteria to be used.

    2. Filter Search Location: Browse to select a container within the directory to search for assets.

      TIP: Do not select the Directory Root for Asset Discovery jobs.

    3. Include objects from sub containers: Optionally, select this check box to search for assets in sub-containers.

  2. Click Preview to test the conditions you have configured.

  3. Click OK to save your selections.

To add Group for a Directory condition

This condition is only available for a Directory discovery job.

  1. In the Condition dialog:

    1. Find By: Choose Group.

    2. Click Add to launch the Group dialog.

    3. Contains: Enter a full or partial group name and click Search. You can only enter a single string (full or partial group name) at a time.

    4. Filter Search Location: Browse to select a container to search within the directory.

    5. Include objects from sub containers: Select this check box to include child objects.

    6. Select the group to add: The results of the search displays in this grid. Select one or more groups to add to the discovery job.

  2. Click Preview to test the conditions you have configured and display a list of assets Safeguard for Privileged Passwords will find in the directory or network you specified based on the conditions entered.

  3. Click OK to save your selections.

To add Constraints condition

  1. In the Condition dialog, in Find By, choose Constraints.

  2. To change the Filter Search Location, click Browse and select the search location that is the scope of the search. Network Scan Asset Discovery jobs don't support the search bases settings.

  3. To apply constraints (search criteria):

    1. Select a property:

      • Name

      • Description

      • Network Address

      • Operating System

      • Operating System Version

      NOTE: For Network Scan, you can only apply constraints on the information the network finds, which is Name and Operating System.

    2. Select an operator:

      • Equals

      • Does Not Equal

      • Starts With

      • Ends With

      • Contains

      • Does Not Contain

    3. In the Value field, type a value of up to 255 characters. The search is not case-sensitive and does not allow wild cards.

  4. Click Preview to test the conditions you have configured and display a list of assets SPP will find in the directory or network you specified based on the conditions entered.

  5. You can add or delete search constraints:

    1. Click Add to additional constraints to your search criteria.

    2. Click Delete to remove the corresponding constraint from your search criteria.

  6. Click OK to save your selections.

Edit Connection Template (asset discovery)

You can change how you want SPP to connect to and communicate with the discovered assets. The default Connection Template is None, meaning assets are authenticated manually.

Navigate to:

  • web client: Asset Management > Discovery > Assets > (add or edit Asset Discovery job) > New Asset Discovery Job dialog > Asset Discovery Rules tab > (add asset discovery rule) > New Asset Discovery Rule dialog > Connection Template tab

Discovery details
  • Once SPP creates an asset, it will not attempt to re-create it or modify the asset if the asset is rediscovered by a different job.
  • Any SSH host keys encountered in discovery will be automatically accepted.
  • You can configure multiple rules for an Asset Discovery job. When SPP runs the Asset Discovery job, if it finds an asset with more than one rule, it applies the connection and profile settings of the first rule that discovers the asset.

To edit connection template information

  1. Navigate to the New Asset Discovery Rule dialog, and open the Connection Template tab.

  2. In the Connection Template tab, Use Discovered Platform is selected by default. By deselecting this option, you can select a different platform using the Platform field and may need to completed additional information based on the product selected.

  3. Select an Authentication Type and complete the information required for your selection.

    • SSH Key: To authenticate to the asset using an SSH authentication key, select the SSH Key Generation and Deployment Settings:

      • Automatically Generate and deploy a new SSH Key: Select this option to generate and deploy a new SSH authentication key.

      • Automatically Generate a new SSH Key that I will deploy myself: Select this option to generate the SSH authentication key and manually append this public key to the authorized keys file on the managed system for the service account. For more information, see For more information, see Downloading a public SSH key..

        NOTE:The SSH authentication key becomes available after SPP creates the asset. If you do not select this option, SPP automatically installs the SSH authentication key. If you do select this option, SPP creates the key and associates it with the SPP asset you are creating, but it does not install it on the managed system for you.

      • Import an SSH Key that I will deploy myself: Select this option, then Browse to import an SSH authentication key and enter the Password. The private key will be associated with the service account.

        NOTE:SPP does not currently manage the options for an authorized key. If an imported key has any options configured in the authorized keys file on the asset, these options will not be preserved when the key is rotated by SPP.

      • The following display based on whether you are generating or importing the SSH key:

        • SSH Key: (Import) Click Browse to select the SSH key to import. On the Import SSH Key dialog, browse for the Private Key File and enter the Password.

        • Key Comment: Enter a meaningful comment. If left blank, the comment will default to Generated by Safeguard.

        • Service Account Name: Enter the name of the service account.

        • Password: (Automatic generation) Enter the password.

        • Service Account Password Profile can be edited or removed. Available profiles are based on the partition selected on the General tab (asset discovery).

        • Service Account SSH Key Profile can be edited or removed. Available profiles are based on the partition selected on the General tab (asset discovery).

    • Directory Account: To authenticate to the assets using the service account from an external identity store such as Microsoft Active Directory, select the service account.

      • Account Name: Click Browse to choose the directory account.

      • Service Account Password Profile can be edited or removed. Available profiles are based on the partition selected on the General tab (asset discovery).

    • Password: To authenticate to the assets using a local service account and password.

      • Account Name and Password: Enter these values.

      • Service Account Password Profile can be edited or removed. Available profiles are based on the partition selected on the General tab (asset discovery).

    • Starling Connect: To authenticate to the assets using Starling Connect.

      • Account Name and Password: Enter these values.

    • None: The accounts associated with the asset are not managed and no asset related credentials are stored.

  4. The following information may be needed, based on the Authentication Type selected.

    • Login with service account name only: Selecting this option will allow SPP to login the asset using only the service account name. The domain will not be used.

    • Privilege Elevation Command:

      If required, enter a privilege elevation command (such as sudo). This is used as a prefix for commands that require privileged access on the system and to manage accounts on Unix-based systems; that is, to check and change SSH keys and to discover accounts.

      Sudo commands follow.

      • AuthorizedKeyCommand
      Specify a program to look up the user's public keys
      • cat
      • chmod
      • chown
      • cp
      • echo
      • egrep
      • find
      • grep
      • host
      • ls
      • mkdir
      • mv
      • rm
      • sed
      • sshd
      • ssh-keygen
      • tee
      • test
      • touch
      • usermod

      When adding an asset, this command is used to perform Test Connection. For more information, see About Test Connection..

      The privilege elevation command must run non-interactively, that is, without prompting for a password. For more information, see Preparing Unix-based systems.

      The limit is 255 characters.

    • Port: Enter the port number for the connection.
    • Allow Session Requests: This check box is selected by default indicating that authorized users can request session access for the discovered assets. Clear the check box if you do not want to allow session requests for the asset.

      • RDP Port: Specify the access port on the target server to be used for RDP session requests.

      • SSH Port: Specify the access port on the target server to be used for SSH session requests.

    • Connection Timeout: Enter how long to wait (in seconds) for both the connect and command timeout.

    • Privilege Level Password: Enter the system enable password to allow access to the configuration.

    • Client ID: Enter the application Client ID (for example, for ServiceNow or SAP).

    • Use SSL Encryption: Select this option to enable Safeguard to encrypt communication with this asset. If you do not select this option for a MicrosoftSQL Server that is configured to force encryption, Test Connection will use untrusted encryption and succeed with valid credentials. For more information about how Safeguard database servers use SSL, see How do SPP database servers use SSL.

    • Verify SSL Certificate: Use this option to enable or disable SSL Certificate verification on the asset. When enabled, Safeguard for Privileged Passwords compares the signing authority of the certificate presented by the asset to the certificates in the Trusted CA Certificates store every time Safeguard for Privileged Passwords connects to the asset. Trust must be established for Safeguard for Privileged Passwords to manage the asset. For Safeguard for Privileged Passwords to verify an SSL certificate, you must add the asset's signing authority certificate to the Trusted CA Certificates store. Only clear the Verify SSL Certificate option if you do not want to establish trust with the asset.certificate in SPP's Trusted CA Certificates store. One Identity does not recommend disabling this option in production environments.

    • Workstation ID: Specify the configured workstation ID, if applicable. This option is for IBM i systems.

    • Instance/Service Name: For SQL Server platforms, specify the Instance name if you have configured multiple instances of a SQL Server on this asset. If you have configured a default (unnamed) instance of the SQL Server on the host, you need to provide the IP address and port number.

      For Oracle platforms, use the TNSNAMES naming method to identify the target system in Oracle. Depending on how the Oracle environment is configured, the Instance (also called SID in Oracle) and/or the Service Name (ServiceName) can be used to identify the target database.

  5. Click OK.

  6. If asked to Verify Host Authenticity, click Yes to accept the SSH Key for the host.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating