Chat now with support
Chat with Support

One Identity Safeguard for Privileged Passwords 2.5 - Administration Guide

Introduction System requirements Installing the One Identity Safeguard for Privileged Passwords desktop client Setting up Safeguard for Privileged Passwords for the first time Getting acquainted with the console Privileged access requests Toolbox Accounts Account Groups Assets Asset Groups Directories Entitlements Partitions Settings
Access Request settings Appliance settings Asset Management settings Backup and Retention settings Certificate settings Cluster settings External Integration settings Messaging settings Profile settings Access settings Sessions settings
Users User Groups Disaster recovery and clusters Administrator permissions Preparing systems for management Troubleshooting Frequently asked questions
How do I access the API How do I audit transaction activity How do I configure external federation authentication How do I manage accounts on unsupported platforms How do I modify the appliance configuration settings How do I prevent Safeguard for Privileged Passwords messages when making RDP connections How do I see which assets and/or accounts are governed by a profile How do I set the appliance system time How do I setup discovery jobs How do Safeguard for Privileged Passwords database servers use SSL What are the access request states What do I do when an appliance goes into quarantine What is required for One Identity Safeguard for Privileged Passwords, embedded sessions module What is required to integrate with Starling Identity Analytics & Risk Intelligence What needs to be set up to use Application to Application What role-based email notifications are generated by default When does the rules engine run for dynamic grouping and tagging Why did the password change during an open request Why join Safeguard for Privileged Passwords to One Identity Starling
Safeguard Desktop Player Appendix: Safeguard ports

Using a backup to restore a clustered appliance

 

NOTE: When a backup is created, the state of the sessions module is saved which can be either the embedded sessions module (SPP) or the joined sessions module (SPS). Restoring a backup restores the sessions module to the state when the backup was taken, regardless of the state when the restore was started.

In a clustered environment, the objective of a cluster backup is to preserve and allow the restoration of all operational data, including access request workflow, users/accounts, audit logs and so on. All appliances in a cluster (primary and replicas) can be backed up. However, a backup should only be restored to an appliance in the worst-case scenario where no appliance can be restored using the failover operation.

When a backup is restored to an appliance, all of the cluster configuration data is purged. The appliance is restored as a stand-alone primary appliance in Read-only mode with no replicas. However, all the access request workflow, user/account, and audit log data that existed when the backup was taken is retained. This primary appliance can then be activated and replicas can be joined to recreate a cluster.

To take a backup of an appliance

  1. Log into the appliance as an Appliance Administrator.
  2. In Administrative Tools, select Settings | Backup and Restore.
  3. Click Run Now to create a copy of the data currently on the primary appliance.

    For more information, see Run Now.

    Or you can click Backup Settings, in the upper right corner of the Backups page, to configure an automatic backup schedule.

    For more information, see Backup and Restore.

To restore an appliance from a backup

NOTE: A backup can be restored to any appliance that is running the same version of Safeguard for Privileged Passwords.

  1. Log into the appliance to be restored as an Appliance Administrator.
  2. In Administrative Tools, select Settings | Backup and Restore.
  3. Select the backup to be used and click Restore.

    NOTE: If you want to use a backup file taken on a different appliance, that backup file must first be downloaded on the appliance where the backup was taken. The downloaded backup file will then need to be uploaded to the appliance that wants to use it before you can use the Restore option.

  4. In the Restore dialog, enter the word Restore and click OK.

    For more information, see Restore.

The appliance is restored as a stand-alone primary appliance in Read-only mode with no replicas.

To rebuild a cluster

  1. Log into the primary appliance as an Appliance Administrator.
  2. Activate the Read-only primary appliance.
    1. In Administrative Tools, navigate to Settings | Cluster | Cluster Management.
    2. Select the node to be activated from the cluster view (left pane).
    3. Click Activate.
    4. Confirm the activate operation.

    For more information, see Activating a read-only appliance.

  3. One at a time, enroll the replica appliances to rebuild your cluster.
    1. In Administrative Tools, select Settings | Cluster.
    2. Click Add Replica to join a replica appliance to the cluster.

    Once the enroll operation completes, repeat to add your appliances back into the cluster as replicas.

    NOTE: Enrolling a replica can take up to 24 hours depending on the amount of data to be replicated and your network.

    For more information, see Enrolling replicas into a cluster.

Related Topics

Backup and Restore

Backup and Restore

Resetting a cluster that has lost consensus

Resetting the cluster configuration allows you to recover a cluster that has lost consensus. If the cluster regains consensus after connectivity is restored, the primary will return to Read-Write mode and password check and change will be re-enabled. However, if it does not regain consensus, the Appliance Administrator must perform a cluster reset to force-remove nodes from the cluster.

If you are concerned about network issues, reset the cluster with only the new primary appliance. Once the cluster reset operation is complete, enroll appliances one by one to create a new cluster.

Caution: Resetting a cluster should be your last resort. It is recommended that you restore from a backup rather than reset a cluster.

IMPORTANT: Only reset the cluster if you are certain that consensus has been lost; otherwise, you could introduce a split-brain scenario. (Split-brain scenario is where a cluster gets divided into smaller clusters. Each of these smaller clusters believes it is the only active cluster and may then access the same data which could lead to data corruption.)

To reset a cluster

  1. In Settings, select Cluster.
  2. Click the Reset Cluster button.

    The Reset Cluster dialog displays listing the appliances (primary and replicas) in the cluster.

  3. In the Reset Cluster dialog, select the nodes to be included in the reset operation and use the Set Primary button to designate the primary appliance in the cluster.

    NOTE: Nodes must have an appliance state of Online or Online Read-only and be able to communicate to be included in the reset operation. If you select a node that is not online or not available, you will get an error and the reset operation will fail.

  4. Click Reset Cluster.
  5. In the confirmation dialog, enter the words Reset Cluster and click OK.

    When connected to the new primary appliance, the Configuring Safeguard for Privileged Passwords Appliance progress page displays showing the steps being performed as part of the maintenance task to reset the cluster.

  6. Once the maintenance tasks have completed, click Restart Desktop Client.

Once reset, the cluster only contains the appliances that were included in the reset operation.

Performing a factory reset

As an Appliance Administrator, you can use the Factory Reset feature to reset a Safeguard for Privileged Passwords Appliance to recover from major problems or to clear the data and configuration settings on the appliance.

Caution: Care should be taken when performing a factory reset against an appliance, because this operation removes all data and audit history, returning it to its original state when it first came from the factory. The appliance must go through configuration again as if it had just come from the factory. For more information, see Setting up One Identity Safeguard for Privileged Passwords for the first time.

In addition, performing a factory reset may change the default SSL certificate and default SSH host key.

IMPORTANT: When performing a factory reset from the recovery kiosk, this is a challenge response operation, where Safeguard for Privileged Passwords generates a challenge that is then sent to One Identity Support to get a response back. You must then copy and paste this challenge response into the kiosk screen in order to proceed. Please keep the following information in mind when performing a challenge response operation:

  • A challenge response is only good for 24 hours.
  • Do not navigate away from the kiosk or refresh the kiosk during a challenge response operation. Doing so will invalidate the challenge response.

NOTE: Clustered environment: Performing a factory reset on a clustered appliance will not automatically remove the appliance from a cluster. The recommended best practice is to unjoin an appliance from the cluster before performing a factory reset on the appliance. After the unjoin and factory reset, the appliance must be configured again. For more information, see Setting up One Identity Safeguard for Privileged Passwords for the first time.

A factory reset of an appliance may be initiated from the Appliance Information settings page in the desktop client, from the recovery kiosk or using the API .

To perform a factory reset from the desktop client

  1. Navigate to Administrative Tools | Settings | Appliance | Factory Reset.
  2. Click Factory Reset.
  3. In the Factory Reset confirmation dialog, enter the words Factory Reset and click OK.

    The appliance will go into Maintenance mode to revert the appliance. Once completed, you will be prompted to restart the desktop client. If the appliance had been in a cluster, you may need to unjoin the factory reset appliance. The factory reset appliance must be configured again. For more information, see Setting up One Identity Safeguard for Privileged Passwords for the first time. In addition, when you log into the appliance, you will be prompted to add your Safeguard for Privileged Passwords licenses.

To perform a factory reset from the recovery kiosk

NOTE: You must contact One Identity Technical Support to perform a Factory Reset from the recovery kiosk.

  1. From the recovery kiosk, select the Factory Reset option.
  2. Right arrow.
  3. At id, enter your identification and press the Tab key (or down arrow).
  4. At Get Challenge, press the Enter key.

    Safeguard for Privileged Passwords produces a challenge.

  5. Copy and paste the challenge and send it to One Identity Support.

  6. When you get the response from One Identity Support, copy and paste the response into the kiosk screen and select Factory Reset.

Unlocking a locked cluster

In order to maintain consistency and stability, only one cluster operation can run at a time. To ensure this, Safeguard for Privileged Passwords locks the cluster while a cluster operation is running, such as enroll, unjoin, failover, patch, reset, and routine maintenance. The Cluster view shows that the cluster is locked and that any changes to the cluster configuration are not allowed until the operation completes. The banner that appears at the top of the screen explains the operation in progress and a red lock icon () next to an appliance indicates that the appliance is locking the cluster.

To unlock a locked cluster

  1. Click the lock icon in the upper right corner of the warning banner.
  2. In the Unlock Cluster confirmation dialog, enter Unlock Cluster and click OK.

    This will release the cluster lock that was placed on all of the appliances in the cluster and terminate the operation.

IMPORTANT: Care should be taken when unlocking a locked cluster. It should only be used when you are sure that one or more appliances in the cluster are offline and will not finish the current operation. If you force the cluster unlock, you may cause instability on an appliance requiring a factory reset and possibly the need to rebuild the cluster. If you are unsure about the operation in progress, do NOT unlock the cluster. Most often, it will eventually time out and unlock on its own.
Related Documents