What's new in version 6.0 LTS
One Identity Safeguard for Privileged Passwords introduces the following new features and enhancements in this version.
|
|
CAUTION:The embedded sessions module was removed in Safeguard for Privileged Passwords 6.0 LTS. Organizations must join to the more robust Safeguard for Privileged Sessions Appliance for sessions recording and playback. Please contact your Account Manager if you are currently using the embedded sessions module to discuss upgrading to 6.0 LTS including implementation of the Safeguard for Privilege Sessions appliance or virtual appliance. |
SPP embedded sessions module removed (191547)
The embedded sessions module has been removed with Safeguard for Privileged Passwords 6.0 LTS. For uninterrupted service, organizations must join to the more robust Safeguard for Privileged Sessions Appliance for sessions recording and playback.
See:
Support for the Safeguard for Privileged Passwords 3000 Appliance (191553)
NOTE: No upgrade is needed for Safeguard for Privileged Passwords 2000 Appliance users.
The Safeguard for Privileged Passwords 3000 Appliance is available with the latest security updates and trusted certificate updates/revocations.
- Appliance Administrators can factory reset to a recent Safeguard for Privileged Passwords version to get the appliance back up and running on the latest version.
- Government agencies and their contractors can rely on the 3000 Appliance to meet common criteria for purchase approval with no need for exceptions.
Functionality includes:
- Default password rules are enhanced for better security including symbols, length, and so on.
- The same certificates as the Safeguard for Privileged Passwords 2000 appliance are used.
- Twitter and Facebook internal platforms are removed in favor of the open source custom platform versions. If in use, the platforms become Other, Other.
Session recordings
Before patching to the 3000 Appliance, move any SPP embedded sessions recordings from local SPP to an archive server. For details, see SPP and SPS sessions appliance join guidance, Step 1: Prepare for the join.
AWS to run in cloud (191525)
Safeguard for Privileged Passwords can be run in the cloud using Amazon Web Services (AWS).
For instructions, see the Safeguard for Privileged Passwords Administration Guide:
Management web kiosk available for cloud platforms
The Management web kiosk is available via HTTPS port 9337 for cloud platforms.
|
|
CAUTION:The Management web kiosk is available via HTTPS port 9337 for cloud platforms (including AWS and Azure). The Management web kiosk gives access to functions without authentication, such as pulling a support bundle or rebooting the appliance. In AWS, all ports are denied unless explicitly allowed. To deny access to port 9337, the port should be left out of the firewall rules. If the port is used, firewall rules should allow access to targeted users. |
Appliance specifications
The Safeguard for Privileged Passwords Appliance is built specifically for use only with the Safeguard for Privileged Passwords privileged management software that is already installed and ready for immediate use. It comes hardened to ensure the system is secure at the hardware, operating system, and software levels.
The following two tables list the One Identity Safeguard for Privileged Passwords 3000 Appliance and 2000 Appliance specifications and power requirements.
Table 2: 3000 Appliance: Feature specifications
| Processor |
Intel Xeon E3-1275v6 3.8 GHz |
| # of Processors |
1 |
| # of Cores per Processor |
4 cores (8 threads) |
| L2/L3 Cache |
8MB L3 Cache |
| Chipset |
Intel C236 Chipset |
| DIMMs |
Unbuffered ECC UDIMM DDR4 2400MHz |
| RAM |
32 GB |
| Internal HD Controller |
LSI MegaRAID SAS 9361-4i Single |
| Disk Hard Drive |
4 x Seagate 7E2000 2TB SAS 512E |
| Availability |
TPM 2.0, EEC Memory, Redundant PSU |
| I/O Slots |
x16 PCIe 3.0, x8 PCIe 3.0 |
| RAID |
RAID10 |
| NIC/LOM |
4 port - dual GbE LAN with Intel i210-AT |
| Power Supplies |
Redundant, 700W, Auto Ranging (100v~240V), ACPI compatible |
| Fans |
1 Supermicro SNK-P0046P and 2 Micron 16GB 2666MHz 2R ECC Unb Z01B Dual Label |
| Chassis |
1U Rack |
|
Dimensions
(HxWxD) |
43 x 437.0 x 597.0 (mm)
1.7 x 17.2 x 23.5 (in) |
| Weight |
Max: 37 lbs (16.78 Kg) |
Table 3: 2000 Appliance: Feature specifications
| Processor |
Intel Xeon E3-1275v5 3.60 GHz |
| # of Processors |
1 |
| # of Cores per Processor |
4 |
| L2/L3 Cache |
4 x 256KB L2, 8MB L3 SmartCache |
| Chipset |
Intel C236 Chipset |
| DIMMs |
DDR4-2400 ECC Unbuffered DIMMs |
| RAM |
32GB |
| Internal HD Controller |
LSI MegaRAID SAS 9391-4i 12Gbps SAS3 |
| Disk |
4 x Seagate EC2.5 1TB SAS 512e |
| Availability |
TPM 2.0, EEC Memory, Redundant PSU |
| I/O Slots |
x16 PCIe 3.0, x8 PCIe 3.0 |
| RAID |
RAID10 |
| NIC/LOM |
3 x Intel i210-AT GbE |
| Power Supplies |
Redundant, 700W, Auto Ranging (100v~240V), ACPI compatible |
| Fans |
4 x 40mm Counter-rotating, Non-hot-swappable |
| Chassis |
1U Rack |
|
Dimensions
(HxWxD) |
43 x 437.0 x 597.0 (mm)
1.7 x 17.2 x 23.5 (in) |
| Weight |
Max: 46 lbs (20.9 Kg) |
| Miscellaneous |
FIPS Compliant Chassis |
Table 4: 3000 Appliance and 2000 Appliance: Power requirements
| Input Voltage |
100-240 Vac |
| Frequency |
50-60Hz |
| Power Consumption (Watts) |
170.9 |
| BTU |
583 |
Safeguard for Privileged Passwords is also available as a virtual appliance and from the cloud. For details see:
System requirements
One Identity Safeguard for Privileged Passwords has several graphical user interfaces that allow you to manage access requests, approvals, and reviews for your managed accounts and systems:
- The Windows desktop client consists of an end-user view and administrator view. The fully featured desktop client exposes all of the functionality of Safeguard based on the role of the authenticated user.
- The web client is functionally similar to the desktop client end-user view and useful for requestors, reviewers, and approvers. Many administration functions are available as well. The web client is sometimes called the Windows client.
- The web management console displays whenever you connect to the virtual appliance and is used for first time configuration.
When setting up a virtual environment, carefully consider the configuration aspects such as CPU, memory availability, I/O subsystem, and network infrastructure to ensure the virtual layer has the necessary resources available. See One Identity's Product Support Policies for more information on environment virtualization.
Ensure that your system meets the minimum hardware and software requirements for these clients.
If a Safeguard Sessions Appliance is joined to Safeguard for Privileged Passwords, session recording is handled via Safeguard for Privileged Session. The join is initiated from Safeguard for Privileged Sessions. For details about the join steps and issue resolution, see the One Identity Safeguard for Privileged Sessions Administration Guide.
Bandwidth
It is recommended that connection, including overhead, is faster than 10 megabits per second inter-site bandwidth with a one-way latency of less than 500 milliseconds. If you are using traffic shaping, you must allow sufficient bandwidth and priority to port 655 UDP/TCP in the shaping profile. These numbers are offered as a guideline only in that other factors could require additional network tuning. These factors include but are not limited to: jitter, packet loss, response time, usage, and network saturation. If there are any further questions, please check with your Network Administration team.
Desktop client system requirements
The desktop client is a native Windows application suitable for use on end-user machines. You install the desktop client by means of an MSI package that you can download from the appliance web client portal. You do not need administrator privileges to install One Identity Safeguard for Privileged Passwords.
NOTE: PuTTY is used to launch the SSH client for SSH session requests and is included in the install. The desktop client looks for any user-installed PuTTY in the following locations:
- Any reference to putty in the PATH environment variable
- c:/Program Files/Putty
- c:/Program Files(x86)/Putty
- c:/Putty
If PuTTY is not found, the desktop client uses the version of PuTTY that it installed at:
<user-home-dir>/AppData/Local/Safeguard/putty.
If the user later installs PuTTY in any of the locations above, the desktop client uses that version which ensures the user has the latest version of PuTTY.
Table 5: Desktop client requirements
| Technology |
Microsoft .NET Framework 4.6 (or later) |
| Windows platforms |
64-bit editions of:
- Windows 7
- Windows 8.1
- Windows 10
- Windows Server 2008 R2
- Windows Server 2012
- Windows Server 2012 R2
- Windows Server 2016
If the appliance setting, TLS 1.2 Only is enabled, (Administrative Tools | Settings | Appliance | Appliance Information), ensure the desktop client also has TLS 1.2 enabled. If the client has an earlier version of TLS enabled, you will be locked out of the client and will not be able to connect to Safeguard for Privileged Passwords.
Considerations:
- Internet Explorer security must be set to use TLS 1.0 or higher. Ensure the proper "Use TLS" setting is enabled on the Advanced tab of the Internet Options dialog (In Internet Explorer, go to Tools | Internet Options | Advanced tab).
- To use FIDO2 two-factor authentication, you will need a web browser that supports the WebAuthn standard.
|
|
Desktop Player |
See One Identity Safeguard for Privileged Sessions [version] Safeguard Desktop Player User Guide available at: One Identity Safeguard for Privileged Sessions - Technical Documentation, User Guide. |
