Chat now with support
Chat with Support

One Identity Safeguard for Privileged Passwords 2.11.2 - Administration Guide

Introduction System requirements Using the virtual appliance and web management console Using the cloud Setting up Safeguard for Privileged Passwords for the first time Search box Using the web client Installing the desktop client Using the desktop client Privileged access requests Toolbox Accounts Account Groups Assets Asset Groups Discovery Entitlements Partitions Settings
Access Request settings Appliance settings Asset Management settings Backup and Retention settings Certificate settings Cluster settings External Integration settings Messaging settings Profile settings Safeguard Access settings Sessions settings
Users User Groups Disaster recovery and clusters Administrator permissions Preparing systems for management Troubleshooting Frequently asked questions Appendix A: Safeguard ports Appendix B: SPP 2.7 or later migration guidance Appendix C: SPP and SPS join guidance Appendix D: Regular Expressions Appendix E: Historical changes by release Glossary

Web management console system requirements

Table 7: Web kiosk requirements
Component Requirements
Web management console

Desktop browsers:

  • Google Chrome 77 (or later)
  • Microsoft Internet Explorer 11 and Edge
  • Mozilla Firefox 69 (or later)

NOTE: To use FIDO2 two-factor authentication, you will need a web browser that supports the WebAuthn standard.

The web management console is implemented for modern web browser technology, using:

  • HTML5
  • CSS
  • JavaScript

Supported platforms

One Identity Safeguard for Privileged Passwords supports a variety of platforms, including custom platforms.

Safeguard for Privileged Passwords tested platforms

The following table lists the platforms and versions that have been tested for Safeguard for Privileged Passwords (SPP). Additional assets may be added to Safeguard for Privileged Passwords. If you do not see a particular platform listed when adding an asset, use the Other, Other Managed, or Other Linux selection on the Management tab of the Asset dialog. For more information, see Management tab (add asset).

SPP joined to SPS: Sessions platforms

When Safeguard for Privileged Passwords (SPP) is joined with a Safeguard for Privileged Sessions (SPS) appliance, platforms are supported that use one of these protocols:

• SPP 2.8 or lower: RDP, SSH

• SPP 2.9 or higher: RDP, SSH, or Telnet

Some platforms may support more than one protocol. For example, a Linux (or Linux variation) platform supports both SSH and Telnet protocols.

For the embedded sessions module, platforms that support RDP and SSH protocols are generally supported.

Table 8: Supported platforms: Assets that can be managed
Platform Version Architecture (all versions unless noted)

SPP

SPS

ACF2 - Mainframe

r14, r15

zSeries

True

True

ACF2 - Mainframe LDAP

r14, r15

zSeries

True

False

Active Directory

 

 

True

False

AIX

6.1, 7.1, 7.2

PPC

True

True

Amazon Linux

2

x86_64

True

True

Amazon Web Services (AWS)

 1  

True

False

CentOS Linux

6

7

(ver 6) x86, x86_64

(ver 7) x86_64

True

True

Cisco ASA

7.x, 8.x

 

True

True

Cisco IOS 12.X, 15.X  

True

True

Debian GNU/Linux

6, 7, 8, 9

x86, x86_64, MIPS, PPC, zSeries

True

True

Dell iDRAC

7, 8

  

True

True

ESXi (VSphere)

5.5, 6.0, 6.5, 6.7

 

True

False

F5 Big-IP

12.1.2, 13.0, 14.0

  

True

True

Facebook (deprecated)

    

True

False

Fedora

21, 22, 23, 24, 25, 26, 27, 28, 29, 30

x86, x86_64

True

True

Fortinet FortiOS

5.2, 5.6

  

True

True

FreeBSD

10.4, 11.1, 11.2

x86, x86_64

True

True

HP iLO

2, 3, 4

x86

True

True

HP iLO MP

2, 3

IA-64

True

True

HP-UX

11iv2 (B.11.23),
11iv3 (B.11.31)

PA-RISC, IA-64

True

True

IBM i

7.1, 7.2, 7.3

PPC

True

True

Junos - Juniper Networks

12, 13, 14, 15

  

True

True

macOS

10.9, 10.10, 10.11, 10.12, 10.13

x86_64

True

True

MongoDB

3.4, 3.6, 4.0

  

True

False

MySQL

 5.6, 5.7  

True

False

OpenLDAP

2.4

 

True

False

Oracle

11g Release 2,
12c Release 1		  

True

False

Oracle Linux (OEL)

6

7

(ver 6) x86, x86_64

(ver 7) x86_64

True

True

Other

 

 

False

False

Other Linux

 

 

True

True

Other Managed

 

 

True

False

PAN-OS

6.0, 7.0, 8.0, 8.1

  

True

True

PostgreSQL

9.6, 10.2, 10.3, 10.4, 10.5

 

True

False

RACF - Mainframe

z/OS V2.1 Security Server,
z/OS V2.2 Security Server

 zSeries

True

True

RACF - Mainframe LDAP

 z/OS V2.1 Security Server,
z/OS V2.2 Security Server

zSeries

True

False

Red Hat Enterprise Linux (RHEL)

6, 7, 8

(ver 6) x86, x86_64, PPC, zSeries

(ver 7 and 8) x86, x86_64, PPC, zSeries

True

True

SAP HANA

2.0

Other

True

False

SAP Netweaver Application Server

7.3, 7.4, 7.5

  

True

False

Solaris

10, 11

(ver 10) SPARC, x86, x86_64

(ver 11) SPARC, x86_64

True

True

SonicOS

5.9, 6.2

  

True

False

SonicWALL SMA or CMS

11.3.0

  

True

False

SQL Server

2012, 2014, 2016

  

True

False

SUSE Linux Enterprise Server (SLES)

11

12

(ver 11) x86, x86_64, PPC, zSeries, IA-64

(ver 12) x86_64, PPC, zSeries

True

True

Sybase (Adaptive Server Enterprise)

15.7, 16

  

True

False

Top Secret - Mainframe

r14, r15

zSeries

True

True

Top Secret - Mainframe LDAP

r14, r15

zSeries

True

False

Twitter (deprecated)

    

True

False

Ubuntu

14.04 LTS, 15.04, 15.10, 16.04 LTS, 16.10, 17.04, 17.10, 18.04 LTS, 18.10, 19.04

x86, x86_64

True

True

Windows

Vista, 7, 8, 8.1, 10 Enterprise (including LTSC and loT).

 

True

True

Windows Server

2008, 2008 R2, 2012, 2012 R2, 2016, 2019

  

True

True

Windows SSH

7, 8, 8.1, 10

Server 2008 R2, 2012, 2012 R2, 2016, 2019

Windows SSH Other

 

True

True

Table 9: Supported platforms: Directories that can be searched
Platform Version

Microsoft Active Directory

Windows 2008+ DFL/FFL

OpenLDAP

2.4

Custom platforms

The following example platform scripts are available:

  • Custom HTTP
  • Linux SSH
  • Telnet
  • TN3270 transports are available

For more information, see the Safeguard for Privileged Passwords Administration Guide, Custom platforms and Creating a custom platform script.

CAUTION: Facebook and Twitter functionality has been deprecated. Refer to the custom platform open source script provided on GitHub. Facebook and Twitter platforms will be remove in a future release.

Sample custom platform scripts and command details are available at the following links available from the Safeguard Custom Platform Home wiki on GitHub:

CAUTION: Example scripts are provided for information only. Updates, error checking, and testing are required before using them in production. Safeguard for Privileged Passwords checks to ensure the values match the type of the property that include a string, boolean, integer, or password (which is called secret in the API scripts). Safeguard for Privileged Passwords cannot check the validity or system impact of values entered for custom platforms.

Product licensing

One Identity Safeguard for Privileged Passwords is made up of a core set of features, such as the UI and Web Services layers, and a number of modules.

Hardware appliance

The One Identity Safeguard for Privileged Passwords 2000 Appliance ships with the following module which requires a valid license to enable functionality:

  • Privileged Passwords
  • Privileged Sessions

You must install a valid license for each Safeguard for Privileged Passwords module to operate. More specifically, if any module is installed, Safeguard for Privileged Passwords will show a license state of Licensed and is operational. However, depending on which models are licensed, you will see limited functionality. That is, even though you will be able to configure access requests:

  • If a Privileged Passwords module license is not installed, you will not be able to request a password release.
  • If a Privileged Sessions module license is not installed, you will not be able to initiate a session access request from the embedded sessions module.

Virtual appliance licensing

The Safeguard for Privileged Passwords virtual appliance requires a valid Microsoft Volume License Agreement that includes licensing for Windows 10 Enterprise. Privileged sessions is available via a join to Safeguard for Privileged Sessions.

The virtual appliance will not function unless the operating system is properly licensed.

License expiration notice

As an Appliance Administrator:

  • If you receive a "license expiring" notification, apply a new license using that module's Update License link:
    • From the web client, click the  Settings menu on the left to go to the Settings: Appliance page. Click Licensing . Click to upload a new license file.
    • From the desktop client, navigate to Administrative Tools | Settings | Appliance | Licensing. Click to upload a new license file.
  • If all licensed modules have expired, you will be prompted to add a new license when logging in to the Safeguard for Privileged Passwords desktop client.
  • If only one of the licensed modules have expired, apply a new module license by clicking in Administrative Tools | Settings | Appliance | Licensing.

As a Safeguard for Privileged Passwords user, if you get an "appliance is unlicensed" notification, contact your Appliance Administrator.

For more information on adding or updating a Safeguard for Privileged Passwords license, see Licensing.

Using the virtual appliance and web management console

Before you start: platforms and resources

When setting up a virtual environment, carefully consider the configuration aspects such as CPU, memory availability, I/O subsystem, and network infrastructure to ensure the virtual layer has the necessary resources available. See One Identity's Product Support Policies for more information on environment virtualization.

Platforms and versions that have been tested with the web management console follow.

  • Operating system: Windows 10 Enterprise LTSC including dynamic disks. If you are using KMS, the KMS server needs to be able to validate Windows 10 Enterprise LTSC.
  • Supported VMs:
    • Microsoft Hyper-V (VHDX) version 8 or higher
    • VMware vSphere with vSphere Hypervisor (ESXi) version 6.5 or higher
    • VMWare Workstation version 6.5 or higher
  • Minimum resources recommended: 4 CPUs, 10GB RAM, and a 500GB disk
Available wizards

The Appliance Administrator responsible for racking and initial configuration of the appliance can create the virtual appliance, launch the Safeguard web management console, and select one of the following wizards.

  • Initial Setup: Used to set up the virtual appliance for the first time including naming, OS licensing, and networking. For more information, see Setting up the virtual appliance.
  • Setup: After the first setup, Safeguard for Privileged Passwords updates and networking changes can be made via the web management console by clicking Setup.

  • Support Kiosk: The Support Kiosk is used to diagnose and resolve issues with Safeguard for Privileged Passwords. Any user able to access the kiosk can perform low-risk support operations including appliance restart or shutdown and support bundle creation. In order to reset the admin password, the user must obtain a challenge response token from One Identity support. For more information, see Support Kiosk.

Security

To maximize security in the absence of a hardened appliance, restrict the access to the Safeguard virtual disks, the web management console, and the MGMT interface to as few users as possible.

Recommendations follow.

  • X0 hosts the public API and is network adapter 1 in the virtual machine settings. Connect this to your internal network.
  • MGMT hosts the web management console and is network adapter 2 in the virtual machine settings. This interface always has the IP address of 192.168.1.105. Connect this to a private, restricted network accessible to administrators only, or disconnect it from the network to restrict unauthenticated actions such as rebooting or shutting down the appliance. The web management console is also available via the VMware console.

Once setup is completed, you can verify which of your NICs is MGMT and X0 by referring to the MAC address information found in Support Kiosk | Appliance Information | Networking for X0 and MGMT. For more information, see Support Kiosk.

Backups: virtual appliance and hardware appliance

To protect the security posture of the Safeguard hardware appliance, Safeguard hardware appliances cannot be clustered with Safeguard virtual appliances. Backups taken from a hardware appliance cannot be restored on virtual appliances and backups taken from a virtual appliance cannot be restored on a hardware appliance.

For more information, see Virtual appliance backup and recovery.

Upload and download

There is a web management console running on 192.168.1.105. When you connect to the virtual appliance via the virtual display, the web management console is displayed automatically, however, upload and download functionality are disabled when connected this way.

You may choose to configure the networking of your virtual machine infrastructure to enable you to proxy to https://192.168.1.105 from your desktop. Connecting in this way will enable you to upload and download from the web management console.

CAUTION: Cloning and snapshotting are not supported and should not be used. Instead of cloning, deploy a new VM and perform Initial Setup. Instead of snapshotting, take a backup of the virtual appliance.

Related Documents