Use the Offline Workflow page to configure automatic settings to control Offline Workflow Mode. You can manually override the automatic settings. For more information, see Manually override automatic Offline Workflow..
To configure automatic settings to control Offline Workflow Mode
- Go to Offline Workflow:
- web client: Navigate to Cluster > Offline Workflow.
- On the Offline Workflow dialog, select Enable Automatic Offline Workflow so the appliance will be automatically placed in Offline Workflow Mode when the appliance loses connection and cannot establish consensus with the cluster for the specified number of minutes entered (see next step).
- Identify the number of Minutes after consensus is lost before the appliance is automatically switched over to Offline Workflow Mode. The Automatic Offline Workflow Threshold defaults to 15 minutes and can be changed to a minimum of five minutes or more.
- If you selected the first check box to enabled automatic Offline Workflow Mode, you can select Automatic Resume Online Workflow so the appliance automatically resumes online operations once consensus with the cluster is restored for the specified number of minutes entered (see next step).
- Identify the number of Minutes after consensus is restored that the appliance is automatically switched over to online workflow. The Automatic Resume Online Workflow Threshold defaults to 15 minutes and can be changed to a minimum of five minutes or more.
- Click Save.
Use the Offline Workflow page to manually enable offline workflow or resume online operations.
For details on either of these operations, see Manually control Offline Workflow Mode.
Before resuming online operations, see Considerations to resume online operations.
To manually Enable Offline Workflow
This option is only available when the appliance has lost consensus with the cluster.
- Go to Enable Offline Workflow:
- web client: Navigate to Cluster > Offline Workflow.
- Click Enable Offline Workflow to manually trigger Offline Workflow Mode.
- In the dialog box, type in Enable Offline Workflow and click Enter. The appliance is in Offline Workflow Mode and enters maintenance.
- You can verify requests and view health checks on the Cluster Management window. For more information, see Cluster Management..
The Asset Administrator can link a SPS (SPS) cluster to a Safeguard for Privileged Passwords (SPP) cluster of one appliance or more for session recording and auditing. The actual link must be between the Safeguard for Privileged Passwords primary and the SPS cluster master. This means that the SPS cluster is aware of each node in an Safeguard for Privileged Passwords cluster and vice-versa.
Once linked, all sessions are initiated by the Safeguard for Privileged Passwords appliance via an access request and managed by the SPS appliance and sessions are recorded via the Sessions Appliance.
|
CAUTION: When linking your SPS (SPS) deployment to your Safeguard for Privileged Passwords (SPP) deployment, ensure that the SPS and SPP versions match exactly, and keep the versions synchronized during an upgrade. For example, you can only link SPS version 6.6 to SPP version 6.6, and if you upgrade SPS to version 6.7, you must also upgrade SPP to 6.7.
Make sure that you do not mix Long Term Supported (LTS) and feature releases. For example, do not link an SPS version 6.0.1 to an SPP version 6.1. |
NOTE: If you have a single node SPS cluster where the Central Management node is also the Search Master, Safeguard for Privileged Passwords will be unable to launch sessions. There has to be at least one SPS appliance in the cluster that is capable of recording sessions. See the One Identity SPS Administration Guide, Managing SPS (SPS) clusters.
Safeguard for Privileged Passwords link guidance
Before initiating the link, review the steps and considerations in the link guidance. For more information, see For more information, see Safeguard for Privileged Passwords and SPS appliance link guidance..
Pay attention to the roles assigned to the SPS nodes. The following caution is offered to avoid losing session playback from Safeguard for Privileged Passwords.
|
CAUTION: Do not switch the role of a SPS node from the Search Local role to Search Minion role. If you do, playback of the sessions recorded while in the Search Local role may not be played back from the Safeguard for Privileged Passwords appliance, and may only be played back via the SPS web user interface. Recordings made with the node in Search Minion role are pushed to the Search Master node and are available for download to Safeguard for Privileged Passwords. For details about SPS nodes and roles, see the One Identity SPS Administration Guide: One Identity Safeguard for Privileged Sessions - Technical Documentation. |
If the Safeguard for Privileged Sessions Central Management node is down
Safeguard for Privileged Passwords continues to launch sessions on the managed hosts when the Safeguard for Privileged Sessions Central Management node is down. However, as long as the Central Management node is down, Safeguard for Privileged Passwords cannot validate existing policies nor can it validate the Safeguard for Privileged Sessions cluster topology. For more information, see Managing a High Availability One Identity Safeguard for Privileged Sessions (SPS) cluster in the One Identity Safeguard for Privileged Sessions Administration Guide.
Viewing, deleting, or editing link connections
Once the link is complete, in the web client, navigate to go to Cluster > Session Appliances.
The Session Appliances pane displays the following session details.
Table 44: Session Appliances: Properties
Host Name |
The host name of the Safeguard for Privileged Sessions appliance host cluster master. |
Managed Hosts |
Other nodes in the Safeguard for Privileged Sessions cluster identified by the managed host name and IP address. Hover over any Warning icon to see if the Managed Host is Unavailable or Unknown. |
Network Address |
The network DNS name or IP address of the session connection. |
Connection User |
The user name for Safeguard for Privileged Passwords. Do not include spaces in the user name. |
Thumbprint |
A unique hash value that identifies the certificate. |
Description |
(Optional) Descriptive text about the Safeguard for Privileged Sessions session connection (for example, 20 on cluster - 172 primary node). |
Double-click a Host Name row to bring up the Session Module Connection dialog.
Table 45: Session Module Connection: Properties
Node ID |
The name of the Safeguard for Privileged Sessions Appliance used to authenticate the linked SPS session connection. |
Host Name |
The host name of the Safeguard for Privileged Sessions appliance host cluster master. |
Connection User name |
The user name for Safeguard for Privileged Passwords. Do not include spaces in the user name. |
Description |
(Optional) Descriptive text about the Safeguard for Privileged Sessions session connection (for example, 20 on cluster - 172 primary node). |
Network Address |
The network DNS name or IP address of the session connection. |
Use Host Name For Launch (not IP address) |
If checked, the connection string used to launch a session uses the host name of the Safeguard for Privileged Sessions appliance rather than the IP address. |
Use these toolbar buttons to manage sessions.
Table 46: Sessions Management: Toolbar
Remove |
Remove the selected linked Safeguard for Privileged Sessions session connection. For details on soft versus hard deletes, see Connection deletion: soft delete versus hard delete. |
Edit |
Modify the selected linked Safeguard for Privileged Sessions session connection Description or Network Address on the Session Module Connection dialog. |
Refresh |
Update the list of linked Safeguard for Privileged Sessions session connections. |
Depending on your goals, you can perform a soft delete or a hard delete.
Soft delete the connection
When a session connection is deleted, the connection information is soft deleted so that a relink of the same Safeguard for Privileged Sessions appliance can reuse the same values. This approach of soft deleting and reusing the same connection values on a relink avoids "breaking" all of the Access Request Polices that referenced the previous session connection.
Hard delete the connection
A hard delete can be performed to permanently remove the session connection. This is usually only done in cases where either a relink is not desired or retaining the previous session connection values is preventing a Safeguard for Privileged Sessions appliance from linking or relinking.
A hard delete can be performed from the API using the following steps for using PowerShell or Swagger.
Hard delete with PowerShell
The latest version of Safeguard PowerShell includes two cmdlets to perform the hard delete:
split-safeguardSessionCluster -SessionMaster <name or ID of session master>
Remove-SafeguardSessionSplitCluster -SessionMaster <name or ID of session master>
For more information, see OneIdentity/safeguard-ps.
Hard delete with Swagger
To perform hard deletion with Swagger
-
In a browser, navigate to https://<your-ip-address>/service/core/swagger.
-
Authenticate to the service using the Authorize button.
-
Navigate to Cluster->GET /v4/cluster/SessionModules and click Try it out!.
-
Identify if the unwanted session connection exists on the list:
-
If the unwanted session connection exists in the list, then:
-
Note the ID of the session connection.
-
Navigate to Cluster DELETE /v4/cluster/SessionModules.
-
Enter the ID.
-
Click Try it out!.
-
Go to step 3.
-
If the unwanted session connection does not exist in the list, then:
-
Set the includeDisconnected parameter to true.
-
Click Try it out!.
-
If the unwanted session connection exists in the list, then go to step 4a to delete the entry a second time which will result in a hard delete.
-
The process is complete and the session connection is permanently removed.