Chat now with support
Chat with Support

One Identity Safeguard for Privileged Passwords 2.11 - Evaluation Guide

Setting up Safeguard for Privileged Passwords

By following these procedures, you will set up a hierarchy of administrators that ensures your company follows entitlement-based access control, as you step through the process of writing some basic policies.

Note: To streamline your software evaluation, these instructions are not detailed. For a full explanation of the features, refer to the Safeguard for Privileged PasswordsAdministration Guide.

Setting up the hardware appliance

Follow these steps to set up and configure the Safeguard for Privileged Passwords 2000 Appliance.

Step 1: Before you start

Ensure that you install the Microsoft .NET Framework 4.6 (or later) on your management host.

Step 2: Prepare for installation

Gather the following items before you start the appliance installation process:

  • Laptop
  • IP address
  • IP subnet mask
  • IP gateway
  • DNS server address
  • NTP server address

    If a Safeguard for Privileged Passwords Appliance is going to be used for both Privileged Passwords and the sessions module, you need this network interface information for both the appliance and the embedded sessions module.

    CAUTION:The embedded sessions module in Safeguard for Privileged Passwords version 2.7 (and later) will be removed in a future release (to be determined). For uninterrupted service, organizations are advised to join to the more robust Safeguard for Privileged Sessions Appliance for sessions recording and playback.

    • Safeguard for Privileged Passwords license

      If you purchased Safeguard for Privileged Passwords, the appropriate license files should have been sent to you via email. If you have not received an email or need it to be resent, visit https://support.oneidentity.com/contact-us/licensing. If you need to request a trial key, please send a request to sales@oneidentity.com or call +1-800-306-9329.

      Safeguard for Privileged Passwords ships with the following modules, each requiring a valid license to enable functionality:

      • Privileged passwords
      • Embedded sessions module
Step 3: Rack the appliance

Prior to installing the racks for housing the appliance, refer to the Warnings and precautions appendix in the One Identity Safeguard Appliance Setup Guide provided in the box with the hardware equipment.

Step 4: Power on the appliance

Prior to powering up the appliance, see the Standardized warning statements for AC systems appendix in the One Identity Safeguard Appliance Setup Guide.

The Safeguard for Privileged Passwords 2000 Appliance includes dual power supplies for redundant AC power and added reliability.

  1. Plug the power cords to the power supply sockets on the appliance back and then connect the cords to AC outlets.

    TIP:As a best practice, connect the two power cords to outlets on different circuits. One Identity recommends using an UPS on all appliances.

  2. Press the Green check mark button on the front panel of the appliance for NO MORE THAN one second to power on the appliance.

    Caution: Once the Safeguard for Privileged Passwords Appliance is booted, DO NOT press and hold the Green check mark button. Holding this button for four or more seconds will cold reset the power of the appliance and may result in damage.

    You can use the Red X button to shut down the appliance. Once the Safeguard for Privileged Passwords Appliance is booted, press and hold the Red X button for four seconds until it displays POWER OFF.

    NOTE: If the Safeguard for Privileged Passwords Appliance is not yet booted, it may be necessary to press the Red X button for up to 13 seconds.

    Caution: Once the Safeguard for Privileged Passwords Appliance is booted, DO NOT press and hold the Red X button for more than 13 seconds. This will hard power off the appliance and may result in damage.

Step 5: Connect the management host to the appliance

The port used for a secure first-time configuration of the appliance is MGMT. This IP address is a fixed address that cannot be changed. It will always be available in case the primary interface becomes unavailable. The MGMT IP address is: 192.168.1.105.

The primary interface that connects your appliance to the network is X0. You must change the primary interface IP to match your network configuration. The default X0 IP is: 192.168.0.105.

The appliance can take up to five minutes to boot up. In addition, ping replies have been disabled on the appliance, so you will not be able to ping this secure appliance.

  1. Connect an Ethernet cable from the laptop to the MGMT port on the back of the appliance.
  2. Set the IP address of the laptop to 192.168.1.100, the subnet mask to 255.255.255.0, and no default gateway.

Step 6: Log in to Safeguard for Privileged Passwords
  1. Open a browser on the laptop and connect to the IP address of the MGMT port https://192.168.1.105.

    If you have problems accessing the configuration interface, check your browser Security Settings or try using an alternate browser.

  2. Accept the certificate and continue. This is only safe when using an Ethernet cable connected directly to the appliance.

  3. Log in to the Safeguard for Privileged Passwords web client using the Bootstrap Administrator account:
    • User name: admin
    • Password: Admin123

  4. The Bootstrap Administrator is a built-in account that allows you to get the appliance set up for first-time use. To keep your Safeguard for Privileged Passwords Appliance secure, change the default password for the Bootstrap Administrator’s account.

    • To change the password from the web client, click Settings in the upper-right corner of the screen and select Change Password.
    • If this password is ever lost, you can reset it to the default of Admin123. See the Safeguard for Privileged Passwords Administration Guide, Admin password reset topic.

  5. Configure the primary network interface (X0):
    1. On the Appliance Configuration page, configure the following. Click the  Edit icon to modify these settings.
      • Time: Enable NTP and set the primary NTP server; if desired, set the secondary NTP server, as well. Click Save. By default, the NTP server is set to pool.ntp.org.

      • Network (X0):
        • Enter the appliance's IPv4 and/or IPv6 address information (IP address, Subnet Mask, Gateway)
        • Enter the DNS server address.

        • Optional, enter the DNS suffixes.
        • Click Save.

      NOTE: The Network Interface (X1) information must be configured to use the embedded sessions module. You can configure the Network Interface (X1) for the Privileged Sessions module now or later using the Windows desktop client or web client.

      If one or more Safeguard Sessions Appliances are joined to Safeguard for Privileged Passwords, X1 is not available in Safeguard for Privileged Passwords.

Step 7: Connect the appliance to the network
  • Connect an Ethernet cable from your primary interface (X0) on the appliance to your network.

Setting up the virtual appliance

The Appliance Administrator uses the initial setup wizard to give the virtual appliance a unique identity, license the underlying operating system, and configure the network. The initial setup wizard only needs to be run one time after the virtual appliance is first deployed, but you may run it again in the future. It will not modify the appliance identity if run in the future.

Once set up, the Appliance Administrator can change the appliance name, license, and networking information, but not the appliance identity (ApplianceID). The appliance must have a unique identity.

The steps for the Appliance Administrator to initially set up the virtual appliance follow.

Step 1: Deploy the VM

Deploy the virtual machine (VM) to your virtual infrastructure. The virtual appliance is in the InitialSetupRequired state.

Hyper-V zip file import and set up

If you are using Hyper-V, you will need the Safeguard Hyper-V zip file distributed by One Identity to setup the virtual appliance. Follow these steps to unzip the file and import:

  1. Unzip the Safeguard-hyperv-prod... zip file.

  2. From Hyper-V, click Options.

  3. Select Action, Import Virtual Machine.
  4. On the Locate Folder tab, navigate to specify the folder containing the virtual machine to import then click Select Folder.

  5. On the Locate Folder tab, click Next.

  6. On the Select Virtual Machine tab, select Safeguard-hyperv-prod..., then click Next.

  7. On the Choose Import Type tab, select Copy the virtual machine (create a new unique ID), then click Next.
  8. On the Choose Destination tab, add the locations for the Virtual machine configuration folder, Checkpoint store, and Smart Paging folder, then click Next.
  9. On the Choose Storage Folders tab, identify Where do you want to store the imported virtual hard disks for this virtual machine? then click Next.
  10. Review the Summary tab, then click Finish.
  11. In the Settings, Add Hardware, connect to Safeguard's MGMT and X0 network adapter.
  12. Right click on the Safeguard-hyperv-prod... and click Connect... to complete the configuration and connect.
Step 2: Initial access

Initiate access using one of these methods:

  • Via a virtual display: Connect to the virtual display of the virtual machine. You will not be offered the opportunity to apply a patch with this access method. Upload and download are not available from the virtual display. Continue to step 3. If you are using Hyper-V, make sure that Enhanced Session Mode is disabled for the display. See your Hyper-V documentation for details.
  • Via a browser: Configure the networking of your virtual infrastructure to proxy https://192.168.1.105 on the virtual appliance to an address accessible from your workstation then open a browser to that address. For instructions on how to do this, consult the documentation of your virtual infrastructure (for example, VMWare). You will be offered the opportunity to apply a patch with this access method. Upload and download are available from the browser. Continue to step 3.

    IMPORTANT: After importing the OVA and before powering it on, check the VM to make sure it doesn't have a USB controller. If there is a USB controller, remove it.

Step 3: Complete initial setup

Click Begin Initial Setup. Once this step is complete, the appliance resumes in the Online state.

Step 4: Log in and configure Safeguard for Privileged Passwords
  1. To log in, enter the following default credentials for the Bootstrap Administrator then click Log in.
    • User Name: admin
    • Password: Admin123

  2. If you are using a browser connected via https://192.168.1.105, the Initial Setup pane identifies the current Safeguard version and offers the opportunity to apply a patch. Click Upload Patch to upload the patch to the current Safeguard version or click Skip. (This is not available when using the Safeguard Virtual Kiosk virtual display.)
  3. In the web management console on the Initial Setup pane, enter the following.
    1. Appliance Name: Enter the name of the virtual appliance.
    2. Windows Licensing: Select one of the following options:
      • Use KMS Server: If you leave this field blank, Safeguard will use DNS to locate the KMS Server automatically. For the KMS Server to be found, you will need to have defined the domain name in the DNS Suffixes.

        If KMS is not registered with DNS, enter the network IP address of your KMS server.

      • Use Product Key: If selected, your appliance will need to be connected to the internet for the necessary verification to add your organization's Microsoft activation key.

        You can update this information in Administrative Tools | Settings | Appliance | Operating System Licensing. For more information, see the Safeguard for Privileged Passwords Administration Guide, Operating system license.

    3. NTP: Complete the Network Time Protocol (NTP) configuration.
      • Select Enable NTP to enable the protocol.
      • Identify the Primary NTP Server IP address and, optionally, the Secondary NTP Server IP address.
    4. Network (X0): For the X0 (public) interface, enter the IPv4 and/or IPv6 information, and DNS Servers information.
  4. Click Save. The virtual appliance displays progress information as it configures Safeguard, the network adapter(s), and the operating system licensing.
  5. When you see the message Maintenance is complete, click Continue.
Step 5: Access the desktop client or use the web client

You can go to the virtual appliance's IP address for the X0 (public) interface from your browser:

  • Use the web client. For more information, see the Safeguard for Privileged Passwords Administration Guide, Using the web client.
  • Log in and download the desktop client. For more information, see the Safeguard for Privileged Passwords Administration Guide, Installing the desktop client.
Step 6: Change the Bootstrap Administrator's password

For security reasons, change the password on the Bootstrap Administrator User. For details, see the Safeguard for Privileged Passwords Administration Guide, Setting a local user's password.

View or change the virtual appliance setup

You can view or change the virtual appliance setup.

Hyper-V or VMware

  • From the web management console, click Home to see the virtual appliance name, licensing, and networking information.
  • After the first setup, Safeguard for Privileged Passwords updates and networking changes can be made via the web management console by clicking Setup.

Completing the appliance setup

After setting up the hardware appliance, complete these steps.

Step 1: Install the desktop client application and desktop player

NOTE: PuTTY is used to launch the SSH client for SSH session requests and is included in the install. The desktop client looks for any user-installed PuTTY in the following locations:

  • Any reference to putty in the PATH environment variable
  • c:/Program Files/Putty
  • c:/Program Files(x86)/Putty
  • c:/Putty

If PuTTY is not found, the desktop client uses the version of PuTTY that it installed at:

<user-home-dir>/AppData/Local/Safeguard/putty.

If the user later installs PuTTY in any of the locations above, the desktop client uses that version which ensures the user has the latest version of PuTTY.

Installing the Safeguard for Privileged Passwords desktop client application

  1. To download the Safeguard for Privileged Passwords desktop client Windows installer .msi file, open a browser and navigate to:

    https://<Appliance IP>/Safeguard.msi

    Save the Safeguard.msi file in a location of your choice.

  2. Run the MSI package.
  3. Select Next in the Welcome dialog.
  4. Accept the End-User License Agreement and select Next.
  5. Select Install to begin the installation.
  6. Select Finish to exit the desktop client setup wizard.

Installing the Desktop Player

CAUTION: If the Desktop Player is not installed and a user tries to play back a session from the Activity Center, a message like the following will display: No Desktop Player. The Safeguard Desktop Player is not installed. Would you like to install it now? The user will need to click Yes to go to the download page to install the player following step 2 below.

  1. Once the Safeguard for Privileged Passwords installation is complete, go to the Windows Start menu, Safeguard folder, and click Download Safeguard Player to be taken to the One Identity Safeguard for Privileged Sessions - Download Software web page.
  2. Follow the Install Safeguard Desktop Player section of the player user guide found here:

    1. Go to One Identity Safeguard for Privileged Sessions - Technical Documentation.
    2. Scroll to User Guide and click One Identity Safeguard for Privileged Sessions [version] Safeguard Desktop Player User Guide.
  3. For Safeguard Desktop player version 1.8.6 and later, ensure your signed web certificate has a Subject Alternative Name (SAN) that includes each IP address of each of your cluster members. If the settings are not correct, the Safeguard Desktop Player will generate a certificate warning like the following when replaying sessions: Unable to verify SSL certificate. To resolve this issue, import the appropriate certificates including the root CA.

New Desktop Player versions

When you have installed a version of the Safeguard Desktop Player application, you will need to uninstall the previous version to upgrade to a newer player version.

Step 2: Start the desktop client
  1. Log in using the Bootstrap Administrator account.
  2. Run the desktop client and log in with the configured IPv4 or IPv6 address for the primary interface (X0). To log in with an IPv6 address, enter it in square brackets.
  3. License one or both of the Safeguard for Privileged Passwords modules using the provided license files:
    • Privileged passwords
    • Embedded sessions module
  4. Designate an archive server for storing session recordings. Defining archive server configurations and assigning an archive server to an appliance are done from the desktop's Administrative Tools view:

    • Go to Settings | Backup and Retention | Archive Servers to configure archive servers.
    • Go to Settings | Sessions | Session Recordings Storage Management to assign an archive server to an appliance for storing recording files.
  5. To configure the time zone:

    1. Navigate to Administrative Tools | Settings | Safeguard Access | Time Zone.
    2. Select the time zone in the Default User Time Zone drop-down menu.
  6. Ensure that your Safeguard for Privileged Passwords Appliance has the latest software version installed. To check the version:
    1. From the Safeguard for Privileged Passwords Desktop Client, log in with admin account credentials.
    2. Click Settings | Appliance | Appliance Information. The Appliance Version is displayed.
    3. Go to the following product support page for the latest version:

      https://support.oneidentity.com/one-identity-safeguard/download-new-releases

    4. If necessary, apply a patch. Wait for maintenance. If you are installing multiple patches, repeat as needed.
Step 3: Backup Safeguard for Privileged Passwords

Immediately after your initial installation of Safeguard for Privileged Passwords, make a backup of your Safeguard for Privileged Passwords Appliance.

NOTE: The default backup schedule runs at 22:00 MST, which can be modified rather than manually running a backup.
  1. From the Safeguard for Privileged Passwords desktop Home page, select  Administrative Tools.
  2. In Settings, select Backup and Retention | Backups.
  3. Click  Run Now.
Step 4: Update Safeguard for Privileged Passwords

Download the latest update from: https://support.oneidentity.com/one-identity-safeguard/.

  1. From the Safeguard for Privileged Passwords desktop Home page, select  Administrative Tools.
  2. In Settings, select Appliance | Updates.
  3. Click Upload a File and browse to select an update file.

    Note: When you select a file, Safeguard for Privileged Passwords uploads it to the server, but does not install it.

  4. Click Install Now to install the update file immediately.
  5. Once you have updated Safeguard for Privileged Passwords, be sure to back up your Safeguard for Privileged Passwords Appliance.
Step 5: Add a user with Authorizer administrative permissions

The Authorizer Administrator is responsible for granting administrative access to Safeguard for Privileged Passwords.

  1. From the Safeguard for Privileged Passwords desktop Home page, select  Administrative Tools.

    Note: This is where you add all the objects you need to write access request policies, such as users, accounts, and assets.

  2. In Administrative Tools, select Users.
  3. Click  Add User to create a Safeguard for Privileged Passwords user with a local authentication provider and Authorizer Administrator permissions.
    Username Password Permissions Description
    AuthorizerAdmin Test123 Authorizer The administrator responsible for granting all administrative access to Safeguard for Privileged Passwords.

    Note: When you choose Authorizer permissions, Safeguard for Privileged Passwords also selects User and Help Desk permissions. These additional settings cannot be cleared.

  4. Log out:
    1. In the upper-right corner of the screen, click the user avatar.
    2. Select Log Out.
Step 6: Change the local security policy

Before Safeguard for Privileged Passwords can reset local account passwords on Windows systems, you must change the local security policy.

  1. From the Windows Start menu, open Local Security Policy.
  2. Navigate to Local Policies | Security Options.
  3. Disable User Account Control: Run all administrators in Admin Approval Mode option.
  4. Restart your computer.
Step 7: Enable password authentication (applies to Privileged Sessions module only)

For some systems (SUSE and some Debian systems) that use SSH, you must enable password authentication in the package generated configuration file (sshd_config).

For example, in the debian sshd_config file, enable the following parameter: PasswordAuthentication yes

Related Documents