Chat now with support
Chat with Support

One Identity Safeguard for Privileged Passwords 2.5 - Administration Guide

Introduction System requirements Installing the One Identity Safeguard for Privileged Passwords desktop client Setting up Safeguard for Privileged Passwords for the first time Getting acquainted with the console Privileged access requests Toolbox Accounts Account Groups Assets Asset Groups Directories Entitlements Partitions Settings
Access Request settings Appliance settings Asset Management settings Backup and Retention settings Certificate settings Cluster settings External Integration settings Messaging settings Profile settings Access settings Sessions settings
Users User Groups Disaster recovery and clusters Administrator permissions Preparing systems for management Troubleshooting Frequently asked questions
How do I access the API How do I audit transaction activity How do I configure external federation authentication How do I manage accounts on unsupported platforms How do I modify the appliance configuration settings How do I prevent Safeguard for Privileged Passwords messages when making RDP connections How do I see which assets and/or accounts are governed by a profile How do I set the appliance system time How do I setup discovery jobs How do Safeguard for Privileged Passwords database servers use SSL What are the access request states What do I do when an appliance goes into quarantine What is required for One Identity Safeguard for Privileged Passwords, embedded sessions module What is required to integrate with Starling Identity Analytics & Risk Intelligence What needs to be set up to use Application to Application What role-based email notifications are generated by default When does the rules engine run for dynamic grouping and tagging Why did the password change during an open request Why join Safeguard for Privileged Passwords to One Identity Starling
Safeguard Desktop Player Appendix: Safeguard ports

About service accounts

Safeguard for Privileged Passwords uses a service account to connect to an asset to securely manage accounts and passwords on that asset. Therefore a service account needs sufficient permissions to edit the passwords of other accounts.

When you add an asset, Safeguard for Privileged Passwords adds its service account to the list of Accounts and designates it with a Service Account icon. By default, Safeguard for Privileged Passwords automatically manages the service account password according to the check and change schedules in the profile that governs its asset. For more information, see Creating a partition profile.

When adding a service account, Safeguard for Privileged Passwords automatically disables it from access requests. If you want the password to be available for release, click Access Requests and select Enable Password Request. If you want to enable session access, select Enable Session Request.

TIP: As a best practice, if you do not want Safeguard for Privileged Passwords to manage a service account password, add the account to a profile that is set to never change passwords.

If you delete a service account, Safeguard for Privileged Passwords changes the asset's authentication type to None which disables automatic password management for all accounts that are associated with this asset. A user can continue to checkout the passwords, however, if the policy that governs the account requires that it change the password after release, the password can get stuck in a 'pending password reset' state. For more information, see Password is pending a reset.

Using a directory account as a service account for an asset

To use a directory account as a service account for an asset, you must first add the account to the directory. For more information, see Adding directory accounts to a directory.)

Test connectivity

The most common causes of failure in Safeguard for Privileged Passwords are either connectivity issues between the appliance and the managed system, or problems with service accounts. If you experience issues, first verify that you can access the managed system from another system (independent of Safeguard for Privileged Passwords), using the service account. For more information about troubleshooting connectivity issues, see Test Connection failures and Connectivity failures.

Restore

Safeguard for Privileged Passwords allows you to restore the data on your appliance with data from a selected backup.

Safeguard for Privileged Passwords does not restore the appliance IP address, NTP settings or the DNS settings. To verify that these settings are correct after a restore, go to Settings | Appliance Information.

Caution: If you restore a backup that is older than the Maximum Password Age set in the Login Control settings, all user accounts (including the bootstrap administrator) will be disabled and you will have to reset all of the user account passwords. If your bootstrap administrator's password is locked out, you can reset it from the recovery kiosk. For more information, see Admin password reset.

To restore the Safeguard for Privileged Passwords appliance from a selected backup

  1. Navigate to Administrative Tools | Settings | Backup and Retention | Safeguard Backup and Restore.
  2. Select a backup. If the backup file is not listed, you can Upload it first.
  3. Click Restore.
  4. In the Restore dialog, enter the word Restore in the box and click OK.

    Safeguard for Privileged Passwords automatically restarts the appliance, if necessary.

  5. Once the appliance is fully operational, it asks you to restart the Windows desktop client. All modifications to Safeguard for Privileged Passwords objects since the backup was created will be lost.

Caution: After a restore, requesters, approvers, and reviewers will not have access to any access request workflow events that were in process at the time of the backup. The Activity Center displays those workflow events as incomplete.

About Test Connection

When adding an asset, Test Connection verifies that Safeguard for Privileged Passwords can log into the asset using the service account credentials that you have provided.

When adding an asset that requires an SSH host key, Test Connection first discovers the key and presents it to you for acceptance. When you accept it, Test Connection then verifies that Safeguard for Privileged Passwords can log into the asset using the service account credentials that you have provided.

Once you save the new asset, Safeguard for Privileged Passwords saves the service account credentials. Safeguard for Privileged Passwords uses these credentials to connect to an asset to securely manage accounts and passwords on that asset. For more information, see About service accounts.

If you want to verify an existing asset's connectivity, use the Check Connection right-click command. For more information, see Checking an asset's connectivity.

Related Topics

Test Connection failures

SSH Key

You can configure Safeguard for Privileged Passwords to authenticate to a managed system using an SSH authentication key. Safeguard for Privileged Passwords will not rotate SSH Keys unless you select the Manage SSH Key option in the asset's profile change schedule. For more information, see Adding change password settings.

Note: This option is not available for all operating systems. But if a Safeguard for Privileged Passwords asset requires an SSH host key and does not have one, Check Password, Change Password, and Test Connection will fail. For more information, see Connectivity failures.

Table 65: SSH Key authentication type properties
Property Description
Automatically Generate the SSH Key

Select this option to have Safeguard for Privileged Passwords generate the SSH authentication key.

Manually Deploy the SSH Key

When you select Automatically Generate the SSH Key, Safeguard for Privileged Passwords allows you to select this option so that you can manually append this public key to the authorized keys file on the managed system for the service account. For more information, see Downloading a public SSH key.

The SSH authentication key becomes available after Safeguard for Privileged Passwords creates the asset.

Important: If you do not select this option, Safeguard for Privileged Passwords automatically installs the SSH authentication key. If you select this option Safeguard for Privileged Passwords creates the key and associates it with the Safeguard for Privileged Passwords asset you are creating, but it does not install it on the managed system for you.

Import and Manually Deploy the SSH Key

Select this option, then Browse to import an SSH authentication key. For more information, see Importing an SSH key.

Key Comment

(Optional) Enter a description of this SSH key.

Service Account Name

Enter the service account name that Safeguard for Privileged Passwords is to use for management tasks. This is the account Safeguard for Privileged Passwords uses to install the SSH authentication key on the asset. For more information, see About service accounts.

Required

Service Account Password

If not importing the SSH authentication key, then you must enter the service account password Safeguard for Privileged Passwords needs to authenticate to this managed system.

Limit: 255 characters

Required

Test Connection

Click this button to verify that Safeguard for Privileged Passwords can log into this asset using the service account credentials you have provided. For more information, see About Test Connection.

Privilege Elevation Command

Enter a privilege elevation command (such as sudo), if required. This is used as a prefix for commands that require privileged access on the system and to manage accounts on Unix-based systems; that is, to check and change passwords and to discover accounts.

When adding an asset, Safeguard for Privileged Passwords uses this command to perform Test Connection. For more information, see About Test Connection.

To enable Safeguard for Privileged Passwords to elevate the privileges of the service account, assign the asset to the scope of a partition profile that has the privilege elevation command defined. For more information, see Creating a partition profile.

The privilege elevation command must run non-interactively, that is, without prompting for a password. For more information, see Prepare Unix-based systems.

Unix-based systems; that is, to check and change passwords and to discover accounts.

Limit: 255 characters

Auto Accept SSH Host Key

Select this option to have Safeguard for Privileged Passwords automatically accept the SSH host key when it creates the Safeguard for Privileged Passwords asset.

When this option is selected, Safeguard for Privileged Passwords displays the thumbprint of the SSH host key that was discovered. When a managed system requiring an SSH host key does not have one, Check Password will fail. For more information, see Connectivity failures.

Port

Enter the port number used by SSH to log into the managed system.

Required

Connection Timeout

Enter the command timeout period. This option applies only to platforms that use Telnet or SSH.

Default: 20 seconds

Related Documents