Chat now with support
Chat with Support

The Quest and One Identity Support Portals will be unavailable on Friday July 10, 2020 from 5:30 PM to 6:30 PM for website maintenance.

One Identity Safeguard for Privileged Passwords 2.4 - Administration Guide

Introduction System requirements Installing the One Identity Safeguard for Privileged Passwords desktop client Setting up Safeguard for Privileged Passwords for the first time Getting acquainted with the console Privileged access requests Toolbox Accounts Account Groups Assets Asset Groups Directories Entitlements Partitions Settings
Access Request settings Appliance settings Asset Management settings Backup and Retention settings Certificate settings Cluster settings External Integration settings Messaging settings Profile settings Access settings Sessions settings
Users User Groups Disaster recovery Administrator permissions Preparing systems for management Troubleshooting Frequently asked questions
How do I access the API How do I audit transaction activity How do I configure external federation authentication How do I manage accounts on unsupported platforms How do I modify the appliance configuration settings How do I prevent Safeguard for Privileged Passwords messages when making RDP connections How do I see which assets and/or accounts are governed by a profile How do I set the appliance system time How do I setup discovery jobs How do Safeguard for Privileged Passwords database servers use SSL What are the access request states What do I do when an appliance goes into quarantine What is required for One Identity Safeguard for Privileged Passwords Privileged Sessions What is required to integrate with Starling Identity Analytics & Risk Intelligence What needs to be set up to use Application to Application What role-based email notifications are generated by default When does the rules engine run for dynamic grouping and tagging Why did the password change during an open request Why join Safeguard for Privileged Passwords to One Identity Starling
Safeguard Desktop Player Appendix: Safeguard ports

Directory Account

You can configure Safeguard for Privileged Passwords to authenticate to a managed system using an account from an external identity store such as Microsoft Active Directory.

NOTE: In order to use this authentication type, you must first add a directory to Safeguard for Privileged Passwords and add domain user accounts. For more information, see Directories.

Table 66: Directory Account authentication type properties
Property Description
Service Account

Click (or tap) Select Account to choose a domain user account. The accounts available for selection are domain user accounts that are linked to a directory that was previously added to Safeguard for Privileged Passwords.

Required

Test Connection

Click (or tap) this button to verify that Safeguard for Privileged Passwords can log into this asset using the service account credentials you have provided. For more information, see About Test Connection.

Advanced

Open to reveal the following settings:

NOTE: The settings available depend on the type of asset.

Privilege Level Password Enter the system enable password to allow access to the Cisco configuration.
Privilege Elevation Command

Enter a privilege elevation command (such as sudo), if required.

Safeguard for Privileged Passwords uses this as a prefix for commands that require privileged access on the system and to manage accounts on Unix-based systems; that is, to check and change passwords and to discover accounts.

Important: When adding an asset, Safeguard for Privileged Passwords uses this command to perform Test Connection. For more information, see About Test Connection.

To enable Safeguard for Privileged Passwords to elevate the privileges of the service account, assign the asset to the scope of a partition profile that has the privilege elevation command defined. For more information, see Creating a partition profile.

The privilege elevation command must run non-interactively, that is, without prompting for a password. For more information, see Prepare Unix-based systems.

Limit: 255 characters

Auto Accept SSH Host Key

Select this option to have Safeguard for Privileged Passwords automatically accept an SSH host key.

NOTE: When an asset requiring an SSH host key does not have one, Check Password will fail. For more information, see Connectivity failures.

Instance

(Optional) Specify the instance name if you have configured multiple instances of a SQL Server on this asset.

NOTE: If you have configured a default (unnamed) instance of the SQL Server on the host, you need to provide the IP address and port number.

Port

Enter the port number to log into the asset.

NOTE: This option is not available for all operating systems.

Required

Connection Timeout

Enter the directory connection timeout period.

Default: 20 seconds

Local System Account

You can configure Safeguard for Privileged Passwords to authenticate to a managed SQL Server using a local system account and password. The local system account is a Windows user account on the server that is hosting the SQL database.

NOTE: In order to use this authentication type, you must add both a Windows asset and a SQL Server asset to Safeguard for Privileged Passwords.

Table 67: Local System Account authentication type properties
Property Description
Service Account

Click (or tap) Select Account to choose the local system account associated with the SQL Server for Safeguard for Privileged Passwords to use for management tasks.

Required

Test Connection

Click (or tap) this button to verify that Safeguard for Privileged Passwords can log into this asset using the local system account credentials you have provided. For more information, see About Test Connection.

Advanced

Open to reveal the following settings:

Instance

(Optional) Specify the instance name if you have configured multiple instances of a SQL Server on this asset.

NOTE: If you have configured a default (unnamed) instance of the SQL Server on the host, you need to provide the IP address and port number.

Port

Enter the port number to log into the asset.

Required

Connection Timeout

Enter the SQL server connection timeout period.

Default: 20 seconds

Password

You can configure Safeguard for Privileged Passwords to authenticate to a managed system using a local service account and password.

Note: Some options are not available for all operating systems.

Table 68: Password authentication type properties
Property Description
Distinguished Name

For LDAP platforms, enter the fully qualified distinguished name (FQDN) for the service account.

For example: cn=dev-sa,ou=people,dc=example,dc=com

Service Account Name

Browse to select the service account for Safeguard for Privileged Passwords to use for management tasks. When you add the asset, Safeguard for Privileged Passwords automatically adds the service account to Accounts. For more information, see About service accounts.

Required except for LDAP platforms, which use the Distinguished Name.

Service Account Password

Enter the service account password used to authenticate to this asset.

Limit: 255 characters

Required

Test Connection

Click (or tap) this button to verify that Safeguard for Privileged Passwords can log into this asset using the service account credentials you have provided. For more information, see About Test Connection.

Privilege Level Password

Enter the Enable password to allow access to the Cisco configuration.

Privilege Elevation Command

Enter a privilege elevation command (such as sudo), if required.

Safeguard for Privileged Passwords uses this as a prefix for commands that require privileged access on the system and to manage accounts on Unix-based systems; that is, to check and change passwords and to discover accounts.

Important: When adding an asset, Safeguard for Privileged Passwords uses this command to perform Test Connection. For more information, see About Test Connection.

To enable Safeguard for Privileged Passwords to elevate the privileges of the service account, assign the asset to the scope of a partition profile that has the privilege elevation command defined. For more information, see Creating a partition profile.

The privilege elevation command must run non-interactively, that is, without prompting for a password. For more information, see Prepare Unix-based systems.

Limit: 255 characters

Auto Accept SSH Host Key

This option is selected by default indicating that Safeguard for Privileged Passwords automatically accepts an SSH host key.

Once the SSH host key is discovered, the SSH host key fingerprint is displayed.

NOTE: When an asset requiring an SSH host key does not have one, Check Password will fail. For more information, see Connectivity failures.

NOTE: This option is not available for all platforms.

Use SSL Encryption

Select this option to enable Safeguard for Privileged Passwords to encrypt communication with this asset.

NOTE: If you do not select this option for a Microsoft SQL Server that is configured to Force Encryption, Test Connection will use untrusted encryption and succeed with valid credentials. For more information about how Safeguard for Privileged Passwords database servers use SSL, see How do Safeguard for Privileged Passwords database servers use SSL

Verify SSL Certificate

Use this option to enable or disable SSL Certificate verification on the asset.

When enabled, Safeguard for Privileged Passwords compares the signing authority of the certificate presented by the asset to the certificates in the Trusted Certificates store every time Safeguard for Privileged Passwords connects to the asset. Trust must be established for Safeguard for Privileged Passwords to manage the asset.

NOTE: For Safeguard for Privileged Passwords to verify an SSL certificate, you must add the asset's signing authority certificate to the Trusted Certificates store.

NOTE: Only clear the Verify SSL Certificate option if you do not want to establish trust with the asset’s certificate in Safeguard for Privileged Passwords's Trusted Certificates store. One Identity does not recommend disabling this option in production environments.

Instance

(Optional) Specify the instance name if you have configured multiple instances of a SQL server on this asset.

NOTE: If you have configured a default (unnamed) instance of the SQL Server on the host, you need to only provide the IP address and port number.

Workstation ID

Specify the configured workstation ID, if applicable.

NOTE: This option is only available for IBM i systems.

Port

Enter the port number on which the asset will be listening for connections.

Default: port 22; port 1433 for SQL server; port 8443 for SonicWALL SMA or CMS appliance.

Required

Connection Timeout

Enter the connection timeout period.

Default: 20 seconds

Access Key

You can configure Safeguard for Privileged Passwords to authenticate to a managed system using an access key.

Table 69: Access Key authentication type properties
Property Description
Service Account

Enter an account for Safeguard for Privileged Passwords to use for management tasks. For more information, see About service accounts.

Access Key ID

Enter the unique identifier that is associated with the secret key. The access key ID and secret key are used together to sign programmatic AWS requests cryptographically.

Limit: 32 alphanumeric characters

Secret Key

Enter a secret access key used to cryptographically sign programmatic Amazon Web Services (AWS) requests.

Limit: 40 alphanumeric characters; the + and the / characters are also allowed.

Test Connection

Click (or tap) this button to verify that Safeguard for Privileged Passwords can log into this asset using the service account credentials you have provided. For more information, see About Test Connection.

Port

Enter the port number to log into the asset.

Connection Timeout

Enter the connection timeout period.

Default: 20 seconds

Related Documents