Chat now with support
Chat with Support

One Identity Safeguard for Privileged Passwords 2.11 - Administration Guide

Introduction System requirements Using the virtual appliance and web management console Using the cloud Setting up Safeguard for Privileged Passwords for the first time Search box Using the web client Installing the desktop client Using the desktop client Privileged access requests Toolbox Accounts Account Groups Assets Asset Groups Discovery Entitlements Partitions Settings
Access Request settings Appliance settings Asset Management settings Backup and Retention settings Certificate settings Cluster settings External Integration settings Messaging settings Profile settings Safeguard Access settings Sessions settings
Users User Groups Disaster recovery and clusters Administrator permissions Preparing systems for management Troubleshooting Frequently asked questions Appendix A: Safeguard ports Appendix B: SPP 2.7 or later migration guidance Appendix C: SPP and SPS join guidance Appendix D: Regular Expressions Appendix E: Historical changes by release Glossary

Lights Out Management (BMC)

The Lights Out Management feature allows you to remotely manage the power state and serial console to Safeguard for Privileged Passwords using the baseboard management controller (BMC). When a LAN interface is configured, this allows the Appliance Administrator to power on an appliance remotely or to interact with the Recovery Kiosk.

It is the responsibility of the Appliance Administrator to enable and configure the Lights Out Management feature. When Lights Out Management is enabled, the Appliance Administrator can set or change the password and modify the network information for the baseboard management console (BMC). When disabled, Safeguard for Privileged Passwords immediately resets the password to a random value and resets the network settings to default values.

IMPORTANT: This feature requires a LAN interface to be enabled and configured. One Identity Safeguard for Privileged Passwords's BMC supports the following LAN interfaces to provide this functionality:

  • SSH
  • IPMI v2
  • Web
  • Serial over Lan

It is strongly recommended that the LAN interface only be enabled in trusted environments.

To enable Lights Out Management

  1. Access Lights Out Management in one of two ways:
  2. Click the Enable Lights Out Management toggle to enable or disable this feature. Set toggle on or toggle off.
  3. Once enabled, enter the following information about the BMC:
    1. IP address: The IPv4 address of the host machine.
    2. Netmask: The network mask IPv4 address.
    3. Default Gateway: The default gateway IPv4 address.
  4. Click the Set BMC Admin Password button to set the password for the host machine.

    Maximum password length: 20 characters.

    NOTE: If this feature was previously enabled, you will see an Update BMC Admin Password button instead. Optionally, click the Update BMC Admin Password button to reset the password for the host machine.

  5. Click OK to save the settings on the host machine.
NOTE: Once Lights Out Management is enabled in Safeguard for Privileged Passwords, you can access the BMC via a web interface or by using SSH to connect to the IPMI port to remotely manage the power state and serial console to Safeguard for Privileged Passwords. The default user for accessing the BMC is ADMIN.

Networking

On Networking, view and configure the primary network interface, and if applicable, a proxy server to relay web traffic, and the sessions network interface.

It is the responsibility of the Appliance Administrator to ensure the network interfaces are configured correctly.

CAUTION: For Azure, network settings user interfaces are read-only. Network settings configured by the Azure Administrator. Changing the internal network address on a clustered appliance will break the cluster and require the appliance to be unjoined/rejoined.

(web client) To modify the networking configuration settings

  1. Click Settings on the left. The Settings: Appliance page displays.
  2. Click Networking to configure the appliance.
  3. Continue to the Network settings

(desktop client) To modify the networking configuration settings

  1. Navigate to Administrative Tools | Settings | Appliance | Networking.
  2. Click the Edit icon next to the Network Interface or Proxy Server heading to edit or configure the network properties.
  3. Network settings
Network settings

Complete the network settings.

Network Interface X0 (primary interface)

Table 110: Network Interface X0 properties
Property Description
MAC Address The media access control address (MAC address), a unique identifier assigned to the network interface for communications
IP Address

The IPv4 address of the network interface

Netmask The IPv4 network mask
Default Gateway The IPv4 default gateway
IPv6 Address The IPv6 address of the network interface
IPv6 Prefix Length The IPv6 subnet prefix length
IPv6 Gateway The IPv6 default gateway
DNS Servers The IP address for the primary DNS servers
DNS Suffixes

The network suffixes for the DNS servers

NOTE: You can modify the network suffixes for the DNS servers by clicking the Edit icon next to the Network Interface X0 heading.

Proxy Server X0

The Proxy Server X0 settings must be configured if your company policies do not allow devices to connect directly to the web. Once configured, Safeguard for Privileged Passwords uses the configured proxy server for outbound web requests to external integrated services, such as Starling.

NOTE: Only HTTP web proxy is supported.

Table 111: Proxy Server X0 properties

Property

Description

Proxy URI

The IP address or DNS name of the proxy server.

Port

The port number used by the proxy server to listen for HTTP requests.

Value: Integer from 1 to 65535.

NOTE: If different ports are specified in the proxy URI and the Port field, the Port field takes precedence.

Username

The user name used to connect to the proxy server.

NOTE: The username and password are only required if your proxy server requires them to be specified.

Password

The password required to connect to the proxy server.

NOTE: The username and password are only required if your proxy server requires them to be specified.

Network Interface X1 (embedded sessions interface)

NOTE: If one or more Safeguard Sessions Appliances are joined to Safeguard for Privileged Passwords, X1 is not available in Safeguard for Privileged Passwords.

Table 112: Network Interface X1 properties
Property Description
MAC Address The MAC address, a unique identifier assigned to the session interface for communications
IP Address

The IPv4 address of the session interface

Netmask The IPv4 network mask
Default Gateway The IPv4 default gateway
IPv6 Address The IPv6 address of the session interface
IPv6 Prefix Length The IPv6 subnet prefix length
IPv6 Gateway The IPv6 default gateway
DNS Servers The IP address for the primary DNS servers
DNS Suffixes The network suffixes for the DNS servers

Operating system licensing

It is the responsibility of the Appliance Administrator to ensure the operating system is configured. Operating system licensing is automatic in the Azure deployment.

Use the Operating System Licensing pane to view and configure the operating system of a virtual appliance.

  1. Navigate to Administrative Tools | Settings | Appliance | Operating System Licensing. Click Refresh anytime to refresh the settings.
  2. The display shows if Windows is licensed with KMS or licensed with a product key. Click Details to see additional information.
  3. Click Edit to change the operating system license and select one of the following options.
    • License automatically with KMS: If you select this option, Safeguard will use DNS to locate the KMS server automatically.
    • Specify a KMS server: If KMS is not registered with DNS, enter the network IP address of your KMS server.
    • Specify a license key: If selected, your appliance will need to be connected to the internet for the necessary verification to add your organization's Microsoft activation key.
  4. Click OK.

Support Bundle

To analyze and diagnose issues, One Identity Support may ask the Appliance Administrator or Operations Administrator to send a support bundle containing system and configuration information.

NoteS: As an alternative, you can use the Recovery Kiosk to generate and send a support bundle to a Windows share. For more information, see Recovery Kiosk (Serial Kiosk).

Virtual appliance support bundles are generate from the web management console. For more information, see Support Kiosk..

To create a support bundle

  1. Navigate to Administrative Tools | Settings | Appliance | Support Bundle.

    NOTE: Select the Include Session Log check box if you want to include the Sessions debug log in the support bundle. This check box is only available if you are using the hardware SPP Appliance and are licensed for and are using the embedded sessions module.

  2. Click Generate Support Bundle.
  3. Browse to select a location to save the support bundle .zip file and click Save.
  4. Send the support bundle to One Identity Support. For more information, see About us.
Related Topics

Troubleshooting

Frequently asked questions

Related Documents