One Identity Safeguard for Privileged Passwords introduces the following new features and enhancements in this version.
Appliance Administrators can execute a trusted, secure appliance diagnostics package to help solve issues with configuration, synchronization, and clustering as well as other other internal challenges. The appliance diagnostics package is available from the web support kiosk, not the serial kiosk. The appliance diagnostics package can be used even when the appliance is in quarantine. To protect against external threats, Safeguard rejects illegitimate appliance diagnostics packages. The manifest file in the appliance diagnostics package lists criteria which may include the minimum Safeguard version, appliance ID, and expiration timestamp UTC. New product code and database changes are not included in an appliance diagnostics package.
Safeguard for Privileged Passwords (SPP) is enhanced to more easily use Safeguard for Privileged Sessions (SPS) for session recording and playback.
Appliance Administrators can identify the SPP SPS join connections by:
Other nodes in the SPS cluster
Navigate to Administrative Tools | Settings | Cluster | Session Appliances for details.
Appliance Administrators can also identify managed networks by the host name and IP address of the cluster master. Navigate to Administrative Tools | Settings | Cluster | Managed Networks and view Sessions Managed By.
Policy Administrators can identify the host name and IP address of the SPS cluster master from which policies originate. A Warning icon displays if a policy is not functional. Navigate to Administrative Tools | Entitlements | Access Request Policies | Session Settings tab and view the SPS Connection Policy.
Users and administrators receive timely notification if an access request will not result in a launchable session request. The notifications identify details such as:
Policy Administrators can identify the SPS connection policies by the host name and IP address of the SPS cluster master from which the policies originate.
User are informed if the SPS configuration is locked and are given the option to try again later. This condition is typically because the SPS administrator is making configuration changes to the SPS appliance at the same time that a new access request is being created or a session is being launched.
Safeguard for Privileged Passwords (SPP) supports session access requests with mainframes using software terminal emulation including telnet and TN3270/TN5250 over telnet. Safeguard for Privileged Sessions (SPS) version 6.1 or higher is used for session recording.
High level steps
IMPORTANT: Engagement with One Identity Professional Services is required for assistance with configurations and installation including available plug-ins, policy creation, pattern files, shortcuts, and best practices.
In Safeguard for Privileged Sessions (SPS), the following steps are required. For operation details, see the One Identity Safeguard for Privileged Sessions Administration Guide at this link: One Identity Safeguard for Privileged Sessions Administration Guide.
In Safeguard for Privileged Sessions (SPS):
IMPORTANT: All users will experience an additional step to log in to Safeguard for Privileged Passwords. After clicking Connect, the user sees a message like: You'll now be redirected to your web browser to complete the login process. You can select: Don't show this message again. Then, click OK. The browser window can be closed. On the user login screen, the user entered the User Name and Password as usual.
A new secondary authentication type, FIDO2, is now supported and can be assigned to any Safeguard for Privileged Passwords user, providing they have at least one compatible FIDO2 authenticator security key. After being configured by a User Administrator, a Safeguard for Privileged Passwords user will be prompted to register their FIDO2 authenticator security key at next login.
Users are then responsible for managing their own FIDO2 authenticator keys, including registering additional keys for backup purposes, viewing, renaming, or deleting unused keys.
Any FIDO/FIDO2 authenticator that supports the WebAuthn standard can be used for two-factor authentication, this includes some older U2F authenticator security keys. Safeguard for Privileged Passwords does not use or require any authenticator attestation data. User verification, such as PIN or biometric is also not used.
The Appliance Administrator can use Hyper-V as the virtual target environment deployed by importing the Safeguard for Privileged Passwords Hyper-V zip file with the virtual machine settings.
vSphere Hypervisor (ESXi) is enhanced in Safeguard for Privileged Passwords (SPP) 2.9. For SPP 2.9 only, you are required to take a backup of your 2.8.x system and restore it on your SPP 2.9 system. Future versions will not require this action.
CAUTION: Failure to backup of your 2.8.x system and restore it on your SPP 2.9 system will result in loss of configuration and functionality.
The Safeguard for Privileged Passwords Appliance is built specifically for use only with the Safeguard for Privileged Passwords privileged management software that is already installed and ready for immediate use. It comes hardened to ensure the system is secure at the hardware, operating system, and software levels.
The One Identity Safeguard for Privileged Passwords 2000 Appliance specifications and power requirements are as follows.
|Safeguard for Privileged Passwords 2000||Feature / Specification|
|Processor||Intel Xeon E3-1275v5 3.60 GHz|
|# of Processors||1|
|# of Cores per Processor||4|
|L2/L3 Cache||4 x 256KB L2, 8MB L3 SmartCache|
|Chipset||Intel C236 Chipset|
|DIMMs||DDR4-2400 ECC Unbuffered DIMMs|
|Internal HD Controller||LSI MegaRAID SAS 9391-4i 12Gbps SAS3|
|Disk||4 x Seagate EC2.5 1TB SAS 512e|
|Availability||TPM 2.0, EEC Memory, Redundant PSU|
|I/O Slots||x16 PCIe 3.0, x8 PCIe 3.0|
|NIC/LOM||3 x Intel i210-AT GbE|
|Power Supplies||Redundant, 700W, Auto Ranging (100v~240V), ACPI compatible|
|Fans||4 x 40mm Counter-rotating, Non-hot-swappable|
43 x 437.0 x 597.0 (mm)
1.7 x 17.2 x 23.5 (in)
|Weight||Max: 46 lbs (20.9 Kg)|
|Miscellaneous||FIPS Compliant Chassis|
|Input Voltage||100-240 Vac|
|Power Consumption (Watts)||170.9|
Ensure that your system meets the minimum hardware and software requirements for these clients.
If a Safeguard Sessions Appliance is joined to Safeguard for Privileged Passwords, session recording is handled via Safeguard for Privileged Session. The join is initiated from Safeguard for Privileged Sessions. For details about the join steps and issue resolution, see the One Identity Safeguard for Privileged Sessions Administration Guide at this link: One Identity Safeguard for Privileged Sessions - Technical Documentation.
We recommend that connection, including overhead, is faster than 10 megabits per second inter-site bandwidth with a one-way latency of less than 500ms. If you are using traffic shaping, you must allow sufficient bandwidth and priority to port 655 UDP/TCP in the shaping profile. These numbers are offered as a guideline only in that other factors could require additional network tuning. These factors include but are not limited to: jitter, packet loss, response time, usage, and network saturation. If there is any questions please contact One Identity Technical Support.
The desktop client is a native Windows application suitable for use on end-user machines. You install the desktop client by means of an MSI package which you can download from the appliance web client portal. You do not need administrator privileges to install One Identity Safeguard for Privileged Passwords.
NOTE: The Windows desktop client also installs:
Microsoft .NET Framework 4.6 (or later)
64-bit editions of:
If the appliance setting, TLS 1.2 Only is enabled, (Administrative Tools | Settings | Appliance | Appliance Information), ensure the desktop client also has TLS 1.2 enabled. If the client has an earlier version of TLS enabled, you will be locked out of the client and will not be able to connect to Safeguard for Privileged Passwords.
See One Identity Safeguard for Privileged Sessions [version] Safeguard Desktop Player User Guide available at: One Identity Safeguard for Privileged Sessions - Technical Documentation, User Guide.