Introduction
Introduction to One Identity Safeguard for Privileged Passwords
System requirements
Key features
What's new in version 2.1
What's new in version 2.2
What's new in version 2.3
What's new in version 2.4
What's new in version 2.5
Appliance specifications
Desktop client system requirements
Web client system requirements
Supported platforms
Product licensing
Installing the One Identity Safeguard for Privileged Passwords desktop client
Setting up Safeguard for Privileged Passwords for the first time
Step 1: Authorizer Administrator creates administrators
Step 2: Appliance Administrator configures the appliance
Step 3: User Administrator adds users
Step 4: Asset Administrator adds managed systems
Step 5: Directory Administrator adds external identity stores
Step 6: User Administrator adds directory groups
Step 7: Security Policy Administrator adds access request policies
Getting acquainted with the console
Toolbar controls
Navigation pane
Privileged access requests
Home
Dashboard
Activity Center
Applying search criteria
Saving search criteria
Generating an activity audit log report
Scheduling an activity audit log report
Editing or deleting a saved search or scheduled report
Viewing event details
Auditing request workflow
Filtering report results
Sorting report results
Reports
Administrative Tools
Creating, editing, or removing a favorite request
Configuring alerts
Password release request workflow
Toolbox
Accounts
Requesting a password release
Approving a password release request
Reviewing a completed password release request
Session request workflow
General tab
Access Request Policies tab
Account Groups tab
Check and Change Log tab
History tab
Managing accounts
Account Groups
Assets
General tab
Accounts tab
Account Dependencies tab
Access Request Policies tab
Asset Groups tab
History tab
Managing assets
Asset Groups
Directories
Adding an asset
Checking an asset's connectivity
Assigning an asset to a partition
Assigning a profile to an asset
Manually adding a tag to an asset
Adding an account to an asset
Adding account dependencies
Adding an asset to asset groups
Modifying an asset
Deleting an asset
Discovery
Create an asset discovery job
Managing asset discovery jobs
Importing objects
Downloading a public SSH key
General tab
Accounts tab
Profiles tab
Discovered Accounts tab
History tab
Managing Directories
Entitlements
Adding a directory
Checking a directory's connectivity
Adding directory accounts to a directory
Managing directory account discovery jobs
Setting directory account passwords
Creating a directory profile
Modifying a directory profile
Setting a default directory profile
Adding accounts to a directory profile
Modifying a directory
Deleting a directory
General tab
Users tab
Access Request Policies tab
History tab
Managing entitlements
Partitions
Adding an entitlement
Adding users or user groups to an entitlement
Creating an access request policy
General tab
Scope tab
Requester tab
Approver tab
Reviewer tab
Access Config tab
Session Settings tab
Time Restrictions tab
Emergency tab
Deleting an access request policy
Modifying an access request policy
Copying an access request policy
Viewing and editing policy details
Modifying an entitlement
Deleting an entitlement
General tab
Assets tab
Accounts tab
Profiles tab
Discovered Accounts tab
History tab
Managing partitions
Settings
Access Request settings
Appliance settings
Users
Appliance Information
Diagnostics
Enable or Disable Services (Application to Application service)
Factory Reset from the desktop client
Licensing
Lights Out Management (BMC)
Networking
Support Bundle
Time
Updates
Asset Management settings
Account Discovery
Custom Platforms
Directory Tags
Backup and Retention settings
Certificate settings
Adding a tag for dynamic tagging of directory accounts
Deleting a directory account tag
Modifying a directory account tag
Copying a directory account tag to another directory
Viewing directory account tag assignments
Tags
About certificates
Audit Log Signing Certificate
Certificate Signing Request
Sessions Certificates
Cluster settings
External Integration settings
Installing a sessions certificate
Creating a Certificate Signing Request for Sessions
Resetting to use default certificate
SSL Certificates
Installing an SSL certificate
Creating a Certificate Signing Request (CSR)
Assigning a certificate to appliances
Trusted Certificates
Application to Application
Messaging settings
Profile settings
About Application to Application functionality
Adding an application registration
Deleting an application registration
Regenerating an API key
Approval Anywhere
Email
Identity and Authentication
Sessions management
SNMP
Starling
Syslog
Ticketing
Account Password Rules
Change Password
Check Password
Directory Account Password Rules
Directory Change Password
Directory Check Password
Password Sync Groups
Access settings
Sessions settings
General tab
User Groups tab
Partitions tab
Entitlements tab
Linked Accounts tab
History tab
Managing users
User Groups
Disaster recovery and clusters
Adding a user
Requiring user to log in using secondary authentication
Adding a user to user groups
Assigning a user to partitions
Adding a user to entitlements
Linking a directory account to a user
Modifying a user
Deleting a user
Importing objects
Setting a local user's password
Unlocking a user's account
Enabling or disabling a user
Enrolling replicas into a cluster
Unjoining replicas from a cluster
Maintaining and diagnosing cluster members
Administrator permissions
Enable offline workflow
Failing over to a replica by promoting it to be the new primary
Activating a read-only appliance
Diagnosing a cluster member
Patching cluster members
Using a backup to restore a clustered appliance
Resetting a cluster that has lost consensus
Performing a factory reset
Unlocking a locked cluster
Troubleshooting tips
Appliance administrator permissions
Asset administrator permissions
Auditor permissions
Authorizer administrator permissions
Directory administrator permissions
Help Desk administrator permissions
Operations administrator permissions
Security Policy administrator permissions
User administrator permissions
Preparing systems for management
Prepare ACF - Mainframe systems
Prepare Amazon Web Services platforms
Prepare Cisco devices
Prepare Dell iDRAC devices
Prepare ESXi VMware hosts
Prepare Facebook hosts
Prepare Fortinet FortiOS devices
Prepare F5 Big-IP devices
Prepare HP iLO servers
Prepare HP iLO MP (Management Processors)
Prepare IBM i (AS/400) systems
Prepare JunOS - Juniper Networks systems
Prepare MongoDB
Prepare MySQL servers
Prepare Oracle databases
Prepare PAN-OS (Palo Alto) networks
Prepare PostgreSQL
Prepare RACF - Mainframe systems
Prepare SAP HANA
Prepare SAP Netweaver Application Servers
Prepare Sybase (Adaptive Server Enterprise) servers
Prepare SonicOS devices
Prepare SonicWALL SMA or CMS appliances
Prepare SQL Servers
Prepare Top Secret - Mainframe systems
Prepare Unix-based systems
Prepare Windows systems
Troubleshooting
Anti Cross-Site Request Forgery token error
Connectivity failures
Frequently asked questions
Change password fails
Incorrect authentication credentials
Missing or incorrect SSH host key
No cipher supported error
Service account has insufficient privileges
Cannot connect to remote machine through SSH or RDP
Cannot delete account
Cannot play session message
Domain user denied access to Safeguard for Privileged Passwords
LCD status messages
My Mac keychain password was lost
Password fails for Unix host
Password is pending review
Profile did not run
Recovery kiosk
Appliance information
Power options
Admin password reset
Factory reset from recovery kiosk
Support bundle
Replica not adding
System services did not update or restart after password change
SPP to SPS join issues
SPP to SPS join error resolution
Test Connection failures
Test Connection failures on archive server
Certificate issue
Cipher support
Domain controller issue
Networking issue
Windows WMI connection failure
Timeout errors causing operations to fail
User locked out
User not notified
How do I access the API
How do I audit transaction activity
How do I configure external federation authentication
Safeguard Desktop Player
Appendix: Safeguard ports
How do I add an external federation provider trust
How do I create a relying party trust for the STS
How do I add an external federation user account
How do I manage accounts on unsupported platforms
How do I modify the appliance configuration settings
How do I prevent Safeguard for Privileged Passwords messages when making RDP connections
How do I see which assets and/or accounts are governed by a profile
How do I set the appliance system time
How do I setup discovery jobs
Asset discovery job workflow
Account and service discovery job workflow
Directory account discovery job workflow
How do Safeguard for Privileged Passwords database servers use SSL
What are the access request states
What do I do when an appliance goes into quarantine
What is required for One Identity Safeguard for Privileged Passwords, embedded sessions module
What is required to integrate with Starling Identity Analytics & Risk Intelligence
What needs to be set up to use Application to Application
What role-based email notifications are generated by default
When does the rules engine run for dynamic grouping and tagging
Why did the password change during an open request
Why join Safeguard for Privileged Passwords to One Identity Starling
How do I prevent Safeguard for Privileged Passwords messages when making RDP connections
Frequently asked questions > How do I prevent Safeguard for Privileged Passwords messages when making RDP connections
When making an RDP connection, you may encounter two different certificate messages.
-
Unsigned RDP file message
This message occurs when Remote Desktop Connection opens the RDP file that is downloaded when you click
Play in the Safeguard for Privileged Passwords user interface.
We are currently working on a solution that will allow Safeguard for Privileged Passwords to sign this RDP file to avoid this message.
-
Untrusted server certification message
This message occurs when the workstation has not trusted the Safeguard for Privileged Passwords RDP Connection Signing Certificate.
NOTE: The IP address of the connecting server is that of the Safeguard appliance.
To avoid this message, you must trust the RDP Connection Signing Certificate and certificates in its chain of trust or replace the current certificate with an enterprise certificate and chain of trust that is trusted. For more information on certificate chain of trust, see Certificate chain of trust. For more information on replacing the RDP Connection Signing Certificate, see Sessions Certificates.
One Identity recommends that you replace the entire configuration with your own trusted enterprise PKI. This would result in a structure such as:
- Your Root CA
- Your Issuing CA
- Your RDP Signing Certificate (from Safeguard CSR)
- <Sessions module generated certificate>
- Your RDP Signing Certificate (from Safeguard CSR)
- Your Issuing CA
The Root CA, Issuing CA, and RDP Signing Certificates can be distributed via Group Policy, Active Directory, or other distribution means.
- Your Root CA
Related Topics
Certificate chain of trust
Frequently asked questions > How do I prevent Safeguard for Privileged Passwords messages when making RDP connections > Certificate chain of trust
The default certificate chain of trust configuration that ships with Safeguard for Privileged Passwords is generated from the SafeguardCluster root certificate.
Figure 1: Default certificate chain of trust
When setting up RDP Connection Signing, the certificate chain of trust also includes the certificate issued to Safeguard for Privileged Passwords for RDP, as illustrated below.
Figure 2: Default certificate chain of trust when setting up RDP Connection Signing
NOTES:
- The Safeguard for Privileged Passwords Cluster certificate must be added to the trusted root CA certificate store and the DefaultSessionRdpSigning certificate must be added to the intermediate CA certificate store of the workstations from which a session request is submitted.
- Once configured, RDP sessions from any cluster member will be trusted (thus avoiding the Untrusted server certification message) because the certificate for each Safeguard for Privileged Passwords cluster member is issued the DefaultSessionRdpSigning certificate.
- This also prevents receiving new messages should the IP address of the Safeguard for Privileged Passwords Appliance change.
How do I see which assets and/or accounts are governed by a profile
To see which assets and/or accounts are assigned to a profile, you must open the profile details window.
To view which assets or accounts are assigned to a partition profile
- In Partitions or Directories, switch to the Profiles tab.
- Select a profile and click the
Details icon.
- In the profile dialog, select the Scope tab which provides a list of the assets and accounts currently being governed by the selected profile.
How do I set the appliance system time
|
|
Note: Changing appliance time can result in unintended consequences with processes running on the appliance. For example, there could be a disruption of password check and change profiles and audit log timestamps could be misleading. |
|
|
TIP: As a best practice, set an NTP server to eliminate possible time-related issues. For more information, see Time. |
To set the time on your appliance
- Use the appliance API to change the appliance time (SystemTime). For information about using the API, see How do I access the API.