|
NOTE: If a Safeguard Sessions Appliance is joined to Safeguard for Privileged Passwords, assigning the certificate is handled via Safeguard for Privileged Sessions. |
The Sessions Certificates pane on the Certificates setting page displays details about the certificates that are used by One Identity Safeguard for Privileged Passwords to provide Privileged Sessions functionality.
Each of these certificates must be trusted by the client workstations that will be making sessions requests and reviewing sessions. This may be accomplished by signing the certificates with an enterprise root authority that is trusted by the client workstations (recommended), or the certificates may be distributed to each workstation via group policy or other distribution means.
|
NOTE: While Safeguard for Privileged Passwords ships with default certificates, One Identity recommends that you load your own. |
Navigate to Administrative Tools | Settings | Certificates | Sessions Certificates.
Certificate | Description | ||
---|---|---|---|
Timestamping Certificate Authority |
This certificate is used to sign timestamps embedded in session recordings to prove when the session recording occurred.
When playing back recorded sessions using the Safeguard Desktop Player, this certificate's public key, in addition to the certificate's issuer, must be available if you wish to validate the signed timestamps. | ||
Session Recording Signing Certificate |
This certificate is used to sign the session recording files to prevent manipulation and prove that they were created by, and came from, Safeguard for Privileged Passwords.
When playing back recorded sessions using the Safeguard Desktop Player, this certificate's public key, in addition to the certificate's issuer, must be available if you wish to validate the signed recording. | ||
RDP Connection Signing Certificate |
This is a Certificate Authority (CA) certificate that issues the server SSL certificate presented when a user connects a privileged session via RDP. Each time that an RDP connection is established through Safeguard, an SSL certificate is generated by this CA on-the-fly; therefore, this CA certificate should already be trusted as part of the customer's enterprise PKI. You must also have the certificate's private key. |
You can have only one certificate of each type defined. That is, Safeguard for Privileged Passwords uses the default certificate or a certificate you uploaded to replace the default certificate.
For each of these certificates, the following properties and controls are available to manage your sessions certificates.
Properties/Controls | Description |
---|---|
Click Refresh to update the list of certificates on the Sessions Certificates pane. | |
Subject |
The name of the subject (such as user, program, computer, service or other entity) assigned to the certificate when it was requested. |
Thumbprint |
A unique hash value that identifies the certificate. |
Add Certificate |
Click Add Certificate and select one of the following options to replace the default certificate with a new certificate:
|
Use Default |
Click Use Default to reset the certificate back to the default. |
What is required for One Identity Safeguard for Privileged Passwords, embedded sessions module
How do I prevent Safeguard for Privileged Passwords messages when making RDP connections
|
NOTE: If a Safeguard Sessions Appliance is joined to Safeguard for Privileged Passwords, assigning the certificate is handled via Safeguard for Privileged Sessions. |
If you do not want to use the default certificate provided with Safeguard for Privileged Passwords, you can replace it with another certificate with a private key.
|
NOTE: For uploading certificates with private keys, Safeguard for Privileged Passwords supports .pfx ( or .p12) files which follow the PKCS #12 standard. |
To install a session certificate
Click the Add Certificate button for the sessions certificate to be replaced. Select the appropriate option:
|
NOTE: If a Safeguard Sessions Appliance is joined to Safeguard for Privileged Passwords, assigning the certificate is handled via Safeguard for Privileged Sessions. |
If you do not want to use a default sessions certificate provided with Safeguard for Privileged Passwords, you can enroll a certificate using a Certificate Signing Request (CSR) to replace the default certificate.
To create a CSR for a sessions certificate
Subject (Distinguished Name): Enter the distinguished name of the person or entity to whom the certificate is being issued. Maximum length of 500 characters.
|
Note: Click Use Distinguished Name Creator to create the distinguished name based on fully-qualified domain name, department, organization unit, locality, state/county/region, and country. |
Key Size: Select the bit length of the private key pair:
4096
|
NOTE: The bit length determines the security level of the certificate. A higher bit length means stronger security. |
Click OK to save your selections and enroll the certificate.
Certificates enrolled via CSR are listed in the Certificate Signing Request pane.
|
NOTE: If a Safeguard Sessions Appliance is joined to Safeguard for Privileged Passwords, assigning the certificate is handled via Safeguard for Privileged Sessions. |
If you have uploaded and replaced a default sessions certificate, you can reset this user-supplied certificate to use the default certificate provided with Safeguard for Privileged Passwords.
To reset a certificate back to the default sessions certificate:
In the Use Default confirmation dialog, enter the word default and click OK.
Once installed, the default certificate will display in the Sessions Certificates pane and be used by the Privileged Sessions module.
© 2019 One Identity LLC. ALL RIGHTS RESERVED. Feedback Terms of Use Privacy