Chat now with support
Chat with Support

The Quest and One Identity Support Portals will be unavailable on Friday July 10, 2020 from 5:30 PM to 6:30 PM for website maintenance.

One Identity Safeguard for Privileged Passwords 2.4 - Administration Guide

Introduction System requirements Installing the One Identity Safeguard for Privileged Passwords desktop client Setting up Safeguard for Privileged Passwords for the first time Getting acquainted with the console Privileged access requests Toolbox Accounts Account Groups Assets Asset Groups Directories Entitlements Partitions Settings
Access Request settings Appliance settings Asset Management settings Backup and Retention settings Certificate settings Cluster settings External Integration settings Messaging settings Profile settings Access settings Sessions settings
Users User Groups Disaster recovery Administrator permissions Preparing systems for management Troubleshooting Frequently asked questions
How do I access the API How do I audit transaction activity How do I configure external federation authentication How do I manage accounts on unsupported platforms How do I modify the appliance configuration settings How do I prevent Safeguard for Privileged Passwords messages when making RDP connections How do I see which assets and/or accounts are governed by a profile How do I set the appliance system time How do I setup discovery jobs How do Safeguard for Privileged Passwords database servers use SSL What are the access request states What do I do when an appliance goes into quarantine What is required for One Identity Safeguard for Privileged Passwords Privileged Sessions What is required to integrate with Starling Identity Analytics & Risk Intelligence What needs to be set up to use Application to Application What role-based email notifications are generated by default When does the rules engine run for dynamic grouping and tagging Why did the password change during an open request Why join Safeguard for Privileged Passwords to One Identity Starling
Safeguard Desktop Player Appendix: Safeguard ports

Disaster recovery

Safeguard for Privileged Passwords provides a solution for disaster recovery scenarios by allowing you to configure a cluster of appliances. Clustering ensures continuation of vital technology infrastructure and systems and recovery from a natural or human-induced disaster.

A Safeguard for Privileged Passwords cluster consists of two or more Safeguard for Privileged Passwords Appliances configured to communicate over TCP port 655. One appliance in the cluster is designated as the "primary". Non-primary appliances are referred to as "replicas".

All vital data stored on the primary appliance is also stored on the replicas. In the event of a disaster, where the primary appliance is no longer functioning, you can promote a replica to be the new primary appliance. This reduces downtime and data loss. While you can only have one primary, you can have up to four replicas. The replicas provide a read-only view of the security policy configuration; however, users can log into replicas to request access, generate reports or audit the data.

Enrolling and unjoining cluster members

Keep the following considerations in mind when performing the enroll replica and unjoin replica operations to create a Safeguard for Privileged Passwords cluster.

Enroll cluster members
  • Update all appliances to the same appliance build (patch) prior to building your cluster.
  • To enroll an appliance into a cluster, the appliance must communicate over port 655 UDP/TCP and port 443 TCP.
  • All members of a cluster must all have IPv4 or IPv6 network addresses. That is, if one appliance has only IPv4, all appliances in the cluster must have IPv4; same with IPv6. An appliance with only IPv4 cannot communicate with an appliance with only IPv6.
  • Appliances can only belong to a single cluster.
  • You can only enroll replica appliances to a cluster when logged into the primary appliance (using an account with Appliance Administrator permissions).
  • You can only add one appliance at a time - the maintenance operation must be complete before adding additional replicas.
  • Enrolling a replica can take as little as 5 minutes or as long as 24 hours depending on the amount of data to be replicated and your network.

  • During an "enroll replica" operation, Safeguard for Privileged Passwords puts the replica appliance in Maintenance mode and locks down the remaining appliances in the cluster. On the primary appliance, you will see an "enrolling" notice in the status bar of the cluster view, indicating that a cluster-wide operation is in progress. While a cluster-wide operation is occurring, all appliances in the cluster are locked down meaning that no modifications, password change or check requests, or access requests can be performed on any of the appliances in the cluster.

    Once the maintenance operation (enroll replica operation) is complete, the diagram in the cluster view (left pane) shows the link latency on the connector. The appliances in the cluster are unlocked and users can once again use the features available in Safeguard for Privileged Passwords.

    TIP: The Activity Center contains events for the start and the completion of the enrollment process.

  • The primary appliance's objects and security policy configuration are replicated to all replica appliances in the cluster. If a replica has objects (such as users, assets, and so on) or security policy configuration defined, they will be replaced with the objects and configuration defined on the primary.
  • Some of the maintenance tasks available require that the cluster has consensus (that is, the majority of the remaining members are online and able to communicate). When half (or 50%) of your appliances in the cluster are online and able to communicate this is NOT the majority. Therefore, it is highly recommended that you create clusters with an odd number of appliances.

For detailed instructions, see Enrolling replicas into a cluster.

Unjoin cluster members

  • You can only unjoin replica appliances from a cluster.

    To remove a primary appliance, you can failover to a replica making the replica the new primary and then unjoin the 'old' primary appliance. For more information, see Failing over to a replica by promoting it to be the new primary.

    NOTE: If the cluster has consensus (that is, the majority of the remaining members are online and able to communicate), you can use the Failover option to promote a replica to be the new primary and then unjoin the 'old' primary appliance. However, if the cluster does not have consensus (that is, the majority of the remaining members are offline/unable to communicate), you must use the Cluster Reset option to rebuild your cluster. For more information, see Resetting a cluster that has lost consensus.

  • To perform an unjoin operation, the replica appliance to be unjoined can be in any state; however, the remaining appliances in the cluster must achieve consensus.
  • You can unjoin a replica appliance when logged into any appliance in the cluster that is online (using an account with Appliance Administrator permissions).

  • When you unjoin a replica appliance from a cluster, the appliance is removed from the cluster as a stand-alone appliance that retains all of the data and security policy configuration information it contained prior to being unjoined. After the replica is unjoined, the appliance is placed in a Read-Only mode. You can however activate the appliance so you can add, delete and modify data, apply access request workflow, and so on. For more information, see Activating a read-only appliance.

    NOTE: When a replica is activated, it will start to manage the assets and accounts in its own configuration.

For detailed instructions, see Unjoining replicas from a cluster.

Enrolling replicas into a cluster

Safeguard for Privileged Passwords allows the Appliance Administrator to create a cluster of up to five appliances, one primary and four replicas.

Prior to enrolling cluster members into a Safeguard for Privileged Passwords cluster, review the enrollment considerations; see Enrolling and unjoining cluster members

 NOTE: It is highly recommended that you take a backup of your primary appliance before enrolling replicas to a cluster.

To enroll a replica

  1. Log into the primary appliance as an Appliance Administrator.
  2. In Administrative Tools, navigate to Settings | Cluster | Cluster Management.
  3. Click (or tap)  Add Replica to join a Safeguard for Privileged Passwords Appliance to a cluster. 
  4. In the Add Replica dialog, enter a network DNS name or the IP address of the replica appliance into the Network Address field and click (or tap) Connect.

  5. Safeguard for Privileged Passwords connects to the replica and displays the login screen for the replica appliance.

    1. Enter a valid account with Appliance Administrator permissions.

    2. In the Add Replica confirmation dialog, enter the words Add Replica and click (or tap) OK to proceed with the operation.

    Safeguard for Privileged Passwords displays (synchronizing icon) and (lock icon) next to the appliance it is enrolling and puts the replica appliance in Maintenance mode while it is enrolling into the cluster.

    On all of the appliances in the cluster, you will see an "enrolling" banner at the top of the cluster view, indicating that a cluster-wide operation is in progress and all appliances in the cluster are locked down.

    Once the maintenance operation (enroll replica operation) is complete, the diagram in the cluster view (left pane) shows the link latency on the connector. The appliances in the cluster are unlocked and users can once again make access requests.

    		 NOTE: Enrolling a replica can take up to 24 hours depending on the amount of data to be replicated and your network.

  6. Log into the replica appliance as the Appliance Administrator.

    Notice that the appliance has a state of Replica (meaning it is in a Read-Only mode); and contains the objects and security policy configuration defined on the primary appliance.

    NOTE: You cannot add, delete or modify the objects or security policy configuration on a replica appliance; however, you can perform password change and check operations and make password release and session access requests. Network configuration is done on each unique appliance, whether it is the primary or a replica.

Unjoining replicas from a cluster

Safeguard for Privileged Passwords allows the Appliance Administrator to unjoin replica appliances from a cluster.

Prior to unjoining a replica from a Safeguard for Privileged Passwords cluster, review the unjoin considerations: See Enrolling and unjoining cluster members.

NOTE: After a replica appliance is unjoined from a cluster, it remains in a Read-Only mode. See Activating a read-only appliance for instructions on how to bring this appliance back online.

To unjoin a replica from a cluster

  1. Log into an appliance in the cluster, as an Appliance Administrator.
  2. In Administrative Tools, navigate to Settings | Cluster | Cluster Management.
  3. In the cluster view (left pane), select the replica node to be unjoined from the cluster.
  4. In the details view (right pane), click (or tap) Unjoin.

  5. In the Unjoin confirmation dialog, enter the word Unjoin and click (or tap) OK to proceed.

    Safeguard for Privileged Passwords displays (synchronizing icon) and (lock icon) next to the appliance it is unjoining and puts the replica appliance in Maintenance mode while it is unjoining from the cluster.

    Once the operation has completed, the replica appliance no longer appears in the cluster view (left pane).

NOTE: If you log into the replica appliance using the desktop client while Safeguard for Privileged Passwords is processing an unjoin operation, you will see the maintenance mode screen. At the end of the maintenance mode, you will see a Restart Desktop Client button indicating that the unjoin operation completed successfully.

Related Documents