Chat now with support
Chat with Support

One Identity Safeguard for Privileged Passwords 6.0.11 LTS - Administration Guide

Introduction System requirements and versions Using API and PowerShell tools Using the virtual appliance and web management console Cloud deployment considerations Setting up Safeguard for Privileged Passwords for the first time Using the web client Getting started with the desktop client Using the desktop client Search box Privileged access requests Toolbox Accounts Account Groups Assets Asset Groups Discovery Entitlements Partitions Settings
Access Request settings Appliance settings Asset Management settings Backup and Retention settings Certificate settings Cluster settings External Integration settings Messaging settings Profile settings Safeguard Access settings
Users User Groups Disaster recovery and clusters Administrator permissions Preparing systems for management Troubleshooting Frequently asked questions Appendix A: Safeguard ports Appendix B: SPP 2.7 or later migration guidance Appendix C: SPP and SPS join guidance Appendix D: Regular Expressions SPP glossary

Session Appliances with SPS join

The Asset Administrator can join a Safeguard for Privileged Sessions (SPS) cluster to a Safeguard for Privileged Password (SPP) cluster of one appliance or more for session recording and auditing. The actual join must be between the SPP primary and the SPS cluster master. This means that the Safeguard for Privileged Sessions (SPS) cluster is aware of each node in an SPP cluster and vice-versa.

Once joined, all sessions are initiated by the SPP appliance via an access request and managed by the SPS appliance and sessions are recorded via the Sessions Appliance.

NOTE: If you have a single node SPS cluster where the Central Management node is also the Search Master, SPP will be unable to launch sessions. There has to be at least one SPS appliance in the cluster that is capable of recording sessions. See the SPS Administration Guide, Managing Safeguard for Privileged Sessions (SPS) clusters.

Safeguard for Privileged Passwords join guidance

Before initiating the join, review the steps and considerations in the join guidance. For more information, see SPP and SPS sessions appliance join guidance.

Pay attention to the roles assigned to the SPS nodes. The following caution is offered to avoid losing session playback from SPP.

CAUTION: Do not switch the role of an SPS node from the Search Local role to Search Minion role. If you do, playback of the sessions recorded while in the Search Local role may not be played back from the SPP appliance, and may only be played back via the SPS web user interface. Recordings made with the node in Search Minion role are pushed to the Search Master node and are available for download to SPP. For details about SPS nodes and roles, see the One Identity Safeguard for Privileged Sessions Administration Guide: One Identity Safeguard for Privileged Sessions - Technical Documentation.

Standard operating procedure after the initial join

If you add another SPS cluster after the initial join, follow these standard operating procedures:

  1. Add join connections. See Viewing, deleting, or editing join connections later in this topic.
  2. Identify the session settings on the entitlements access request policy (SPS Connection Policy which is the IP address of the cluster master). For more information, see Creating an access request policy.

  3. Assign the managed networks. For more information, see Managed networks.
If the SPS Central Management node is down

SPP continues to launch sessions on the managed hosts when the SPS Central Management node is down. However, as long as the Central Management node is down, SPP cannot validate existing policies nor can it validate the SPS cluster topology. See the Safeguard for Privileged Sessions Administration Guide, Managing a High Availability One Identity Safeguard for Privileged Sessions (SPS) cluster.

Connection deletion: soft delete versus hard delete

Depending on your goals, you can perform a soft delete or a hard delete.

Soft delete the connection

When a session connection is deleted from the desktop client, the connection information is soft deleted so that a rejoin of the same SPS appliance can reuse the same values. This approach of soft deleting and reusing the same connection values on a rejoin avoids "breaking" all of the Access Request Polices that referenced the previous session connection.

If the session connection is deleted, a caution displays when you navigate to Administrative Tools | Entitlements | Access Request Policies and go to the Session Settings tab. For more information, see Session Settings tab.

Hard delete the connection

A hard delete can be performed to permanently remove the session connection. This is usually only done in cases where either a rejoin is not desired or retaining the previous session connection values is preventing an SPS appliance from joining or rejoining.

A hard delete can be performed from the API using the following steps for using PowerShell or Swagger.

Hard delete with PowerShell

The latest version of Safeguard PowerShell includes two cmdlets to perform the hard delete.

split-safeguardSessionCluster -SessionMaster <name or ID of session master>

Remove-SafeguardSessionSplitCluster -SessionMaster <name or ID of session master>

See OneIdentity/safeguard-ps.

Hard delete with Swagger

  1. In a browser, navigate to https://<your-ip-address>/service/core/swagger.
  2. Authenticate to the service using the Authorize button.
  3. Navigate to Cluster->GET /v3/cluster/SessionModules and click Try it out!.
  4. Identify if the unwanted session connection exists on the list:
    1. If the unwanted session connection exists in the list, then:
      1. Note the ID of the session connection.
      2. Navigate to Cluster DELETE /v3/cluster/SessionModules.
      3. Enter the ID.
      4. Click Try it out!”.
      5. Go to step 3.
    2. If the unwanted session connection does not exist in the list, then:
      1. Set the includeDisconnected parameter to true.
      2. Click Try it out!.
      3. If the unwanted session connection exists in the list, then go to step 4a to delete the entry a second time which will result in a hard delete.
  5. The process is complete and the session connection is permanently removed.
Viewing, deleting, or editing join connections

Once the join is complete, navigate to Administrative Tools | Settings | Cluster | Session Appliances to view, delete, or edit join connections. The Session Appliances pane displays the following session details.

Table 148: Session Appliances: Properties
Property Description

Host Name

The host name of the SPS appliance host cluster master.

Network Address

The network DNS name or IP address of the session connection.

Description

(optional) Descriptive text about the SPS session connection (for example, 20 on cluster - 172 primary node).

Connection User

The user name for Safeguard for Privileged Passwords (SPP). Do not include spaces in the user name.

Thumbprint

A unique hash value that identifies the certificate.

Managed Hosts

Other nodes in the SPS cluster identified by the managed host name and IP address. Hover over any Warning icon to see if the Managed Host is Unavailable or Unknown.

Click a Host Name row to bring up the Session Module Connection dialog.

Table 149: Session Module Connection: Properties
Property Description

Node ID

The name of the Safeguard for Privileged Sessions Appliance used to authenticate the joined SPS session connection.

Host Name

The host name of the SPS appliance host cluster master.

SPP Username

The user name for Safeguard for Privileged Passwords (SPP). Do not include spaces in the user name.

Description

(optional) Descriptive text about the SPS session connection (for example, 20 on cluster - 172 primary node).

Network Address

The network DNS name or IP address of the session connection.

Use Host Name (not IP address)

If checked, the connection string used to launch a session uses the host name of the SPS appliance rather than the IP address.

Use these toolbar buttons to manage sessions.

Table 150: Sessions Management: Toolbar
Option Description
Delete Selected

Remove the selected joined SPS session connection. For details on soft versus hard deletes, see Connection deletion: soft delete versus hard delete earlier in this topic.

Edit

Modify the selected joined SPS session connection Description or Network Address on the Session Module Connection dialog.

Refresh

Update the list of joined SPS session connections.

Session Module Password Access Enabled

Toggle on

Toggle off

CAUTION: This functionality supports the join with Safeguard for Privileged Sessions (SPS) version 6.2.0 or later. The toggle function is used to enable an SPS initiated session to get the session credentials from SPP. For information see the One Identity Safeguard for Privileged Sessions Administration Guide at this link: One Identity Safeguard for Privileged Sessions - Technical Documentation.

External Integration settings

The Appliance Administrator can:

  • Configure the appliance to send event notifications to various external systems.
  • Integrate with an external ticketing system or track generic ticket numbers.
  • Configure both external and secondary authentication service providers.

However, it is the Security Policy Administrator's responsibility to configure the Approval Anywhere feature.

Navigate to Administrative Tools | Settings | External Integration.

Table 151: External Integration settings
Setting Description

Application to Application

Where you configure application registrations to use the Application to Application service, which allows third-party applications to retrieve credentials from Safeguard for Privileged Passwords

Approval Anywhere

Where you define the Safeguard for Privileged Passwords users who are authorized to use Approval Anywhere to approve access requests

Email

Where you configure Safeguard for Privileged Passwords to automatically send email notifications when certain events occur

Identity and Authentication

Where you configure the identity providers and authentication providers to use when logging into Safeguard for Privileged Passwords

SNMP

Where you configure Safeguard for Privileged Passwords to send SNMP traps to your SNMP console when certain events occur

Starling

Where you join Safeguard for Privileged Passwords to Starling to take advantage of other Starling services, such as Starling Two-Factor Authentication (2FA)

Syslog

Where you configure Safeguard for Privileged Passwords to send event notifications to a syslog server with details about the event

Ticketing systems

Where you configure Safeguard for Privileged Passwords to integrate with your company's external ticket system or track generic tickets and not integrate with an external ticketing system

Application to Application

In order for third-party applications to use the Application to Application service to integrate with the Safeguard for Privileged Passwords vault, you must first register the application in Safeguard for Privileged Passwords. This can be done using the Administrative Tools | Settings | External Integration | Application to Application pane described below. Once the application is registered, you can enable or disable the service. For more information, see Enable or Disable Services .

The Application to Application pane displays a list of previously registered third-party applications. From this page, the Security Policy Administrator can add new application registrations, and modify or remove existing registrations. The Application to Application pane displays the following details about application registrations.

Table 152: Application to Application: Properties
Property Description

Name

The name assigned to the application's registration.

Certificate User

The name of the certificate user associated with the registered application.

NOTE: If there is no certificate user listed for an application registration, contact your Security Policy Administrator to add one. The Application to Application service on the third-party application will not work with the Safeguard for Privileged Passwords vault until a certificate user has been specified.

Enable/Disable

Toggle on

Toggle off

Indicates whether the application registration is enabled. The toggle appears blue with the switch to the right when the service is enabled, and gray with the switch to the left when the service is disabled. Click the toggle to enable or disable an application registration.

NOTE: When an application registration is disabled, Application to Application access is disabled for that third-party application until the registration is enabled again.

Description

Information about the application's registration.

Use these toolbar buttons to manage application registrations.

Table 153: Application to Application: Toolbar
Option Description

Add

Add an application registration to Safeguard for Privileged Passwords. For more information, see Adding an application registration.

Delete Selected

Remove the selected application registration from Safeguard for Privileged Passwords. For more information, see Deleting an application registration.

Refresh

Update the list of application registrations.

Edit

Modify the selected application registration.

API Keys

Display the API keys that were generated for Access Request Broker or Credential Retrieval. An API key can then be copied and used in the third-party application to authenticate with Safeguard for Privileged Passwords.

NOTE: For credential retrieval, the registration process generates an API key for each managed account. However, for access request broker, the registration process generates a single API key for all users or user groups that are added.

About Application to Application functionality

Using the Application to Application service, third-party applications can interact with Safeguard for Privileged Passwords in the following ways:

  • Credential retrieval: A third-party application can retrieve a credential from the Safeguard for Privileged Passwords vault in order to perform automated functions on the target asset. In addition, you can replace hard coded passwords in procedures, scripts, and other programs with programmatic calls.
  • Access request broker: A third-party application can initiate an access request on behalf of an authorized user so that the authorized user can be notified of the available request and log in to Safeguard for Privileged Passwords to retrieve a password or start a session.

NOTE: If Offline Workflow Mode is triggered, Application to Application operations will be halted for the number of minutes it takes to move to Offline Workflow Mode. For more information, see About Offline Workflow Mode.

Credential retrieval

A credential retrieval request using the Application to Application service allows the third-party application to retrieve credentials from the Safeguard for Privileged Passwords vault without having to go through the normal workflow process.

For example, say you have an automated system that performs a routine system diagnostic on various services in the data center every 24 hours. In order for the automated system to perform the diagnostics, it must first authenticate to the target server. Since all of the credentials for the target servers are stored in the Safeguard for Privileged Passwords vault, the automated system retrieves the credentials for a specified system by calling the Application to Application service.

Access request broker

An access request broker request using the Application to Application service allows the application to create an access request on behalf of another user.

For example, say you have a ticketing system and one of the types of tickets that can be created is to request access to a specific asset. The ticketing system can be integrated with Safeguard for Privileged Passwords through the Application to Application service to create an access request on behalf of the user that entered the ticket into the system. Once the request is created, it follows the normal access request workflow in Safeguard for Privileged Passwords and the user who entered the ticket will be notified when access is granted.

In order for a third-party application to perform one of tasks provided by the Application to Application service, the application must first be registered with Safeguard for Privileged Passwords. This registration will be associated with a certificate user and authentication to the Application to Application service will be done using the certificate and an API key. The registered application will not be allowed to authenticate to Safeguard for Privileged Passwords other than for the purpose specified. The properties associated with an application registration are:

  • API key: As part of the registration process, an API key is generated. An administrator must then copy this API key and make it available to the third-party application.
  • Certificate user: In addition to the API key, the application registration must be associated with a certificate user. The certificate that is associated with the certificate user must be signed by a certificate authority that is also trusted by Safeguard for Privileged Passwords.

    NOTE: Use your corporate PKI for issuing this certificate and installing it on the third-party application.

The Application to Application service is disabled by default and must be enabled before any credential retrievals or access request broker functions can be performed. An Appliance Administrator can use the desktop client or Safeguard for Privileged Passwords API to enable the service.

Using the desktop client:

  1. Navigate to Administrative Tools | Settings | Appliance | Enable or Disable Service.
  2. Click the Application to Application Enabled toggle to enable the service ( toggle on).

Using the API, use the following URL:

https://appliance/service/appliance/v2/A2AService/Enable

In addition, you can check the current state of the service using this same desktop client page or using the following URL:

https://appliance/service/appliance/v2/A2AService/Status

Related Topics

Setting up Application to Application

Making a request using the Application to Application service

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating