Setting up Safeguard for Privileged Passwords
By following these procedures, you will set up a hierarchy of administrators that ensures your company follows entitlement-based access control, as you step through the process of writing some basic policies.
NOTE: To streamline your software evaluation, these instructions are not detailed. For a full explanation of the features, refer to the Safeguard for Privileged PasswordsAdministration Guide.
Setting up the hardware appliance
|
CAUTION: To maximize security, restrict the access to MGMT interface to as few users as possible. The Management web kiosk gives access to functions without authentication, such as pulling a support bundle or rebooting the appliance. |
Follow these steps to set up and configure the Safeguard for Privileged Passwords Appliance.
Step 1: Before you start
Ensure that you install the Microsoft .NET Framework 4.6 (or later) on your management host.
Step 2: Prepare for installation
Gather the following items before you start the appliance installation process:
- Laptop
- IP address
- IP subnet mask
- IP gateway
- DNS server address
- NTP server address
-
Safeguard for Privileged Passwords license
If you purchased Safeguard for Privileged Passwords, the appropriate license files should have been sent to you via email. If you have not received an email or need it to be resent, visit https://support.oneidentity.com/contact-us/licensing. If you need to request a trial key, please send a request to sales@oneidentity.com or call +1-800-306-9329.
Step 3: Rack the appliance
Prior to installing the racks for housing the appliance, refer to the Warnings and precautions appendix in the One Identity Safeguard Appliance Setup Guide provided in the box with the hardware equipment.
Step 4: Power on the appliance
Prior to powering up the appliance, see the Standardized warning statements for AC systems appendix in the One Identity Safeguard Appliance Setup Guide.
The Safeguard for Privileged Passwords Appliance includes dual power supplies for redundant AC power and added reliability.
-
Plug the power cords to the power supply sockets on the appliance back and then connect the cords to AC outlets.
TIP: As a best practice, connect the two power cords to outlets on different circuits. One Identity recommends using an UPS on all appliances.
-
Press the Green check mark button on the front panel of the appliance for NO MORE THAN one second to power on the appliance.
|
Caution: Once the Safeguard for Privileged Passwords Appliance is booted, DO NOT press and hold the Green check mark button. Holding this button for four or more seconds will cold reset the power of the appliance and may result in damage. |
You can use the Red X button to shut down the appliance. Once the Safeguard for Privileged Passwords Appliance is booted, press and hold the Red X button for four seconds until it displays POWER OFF.
NOTE: If the Safeguard for Privileged Passwords Appliance is not yet booted, it may be necessary to press the Red X button for up to 13 seconds.
|
Caution: Once the Safeguard for Privileged Passwords Appliance is booted, DO NOT press and hold the Red X button for more than 13 seconds. This will hard power off the appliance and may result in damage. |
Step 5: Connect the management host to the appliance
The port used for a secure first-time configuration of the appliance is MGMT. This IP address is a fixed address that cannot be changed. It will always be available in case the primary interface becomes unavailable. The MGMT IP address is: 192.168.1.105.
The primary interface that connects your appliance to the network is X0. You must change the primary interface IP to match your network configuration. The default X0 IP is: 192.168.0.105.
The appliance can take up to five minutes to boot up. In addition, ping replies have been disabled on the appliance, so you will not be able to ping this secure appliance.
- Connect an Ethernet cable from the laptop to the MGMT port on the back of the appliance.
-
Set the IP address of the laptop to 192.168.1.100, the subnet mask to 255.255.255.0, and no default gateway.
Step 6: Log in to Safeguard for Privileged Passwords
-
Open a browser on the laptop and connect to the IP address of the MGMT port https://192.168.1.105.
If you have problems accessing the configuration interface, check your browser Security Settings or try using an alternate browser.
-
Accept the certificate and continue. This is only safe when using an Ethernet cable connected directly to the appliance.
- Log in to the Safeguard for Privileged Passwords web client using the Bootstrap Administrator account:
- User name: admin
-
Password: Admin123
The Bootstrap Administrator is a built-in account that allows you to get the appliance set up for first-time use. To keep your Safeguard for Privileged Passwords Appliance secure, change the default password for the Bootstrap Administrator’s account. For more information, see Completing the appliance setup.
- Configure the primary network interface (X0): On the Appliance Configuration page, configure the following. Click the Edit icon to modify these settings.
- On the Appliance Configuration page, configure the following. Click the Edit icon to modify these settings.
-
Time: Enable NTP and set the primary NTP server; if desired, set the secondary NTP server, as well. Click Save. By default, the NTP server is set to pool.ntp.org.
- Network (X0):
- Log in and download the desktop client to complete the next steps. For more information, see Completing the appliance setup.
Step 7: Connect the appliance to the network
- Connect an Ethernet cable from your primary interface (X0) on the appliance to your network.
Setting up the virtual appliance
The Appliance Administrator uses the initial setup wizard to give the virtual appliance a unique identity, license the underlying operating system, and configure the network. The initial setup wizard only needs to be run one time after the virtual appliance is first deployed, but you may run it again in the future. It will not modify the appliance identity if run in the future.
Once set up, the Appliance Administrator can change the appliance name, license, and networking information, but not the appliance identity (ApplianceID). The appliance must have a unique identity.
The steps for the Appliance Administrator to initially set up the virtual appliance follow.
Step 1: Make adequate resources available
The virtual appliances default deploy does not provide adequate resources. The minimum resources required are: 4 CPUs, 10GB RAM, and a 500GB disk. Without adequate disk space, the patch will fail and you will need to expand disk space then re-upload the patch.
Step 2: Deploy the VM
Deploy the virtual machine (VM) to your virtual infrastructure. The virtual appliance is in the InitialSetupRequired state.
Hyper-V zip file import and set up
If you are using Hyper-V, you will need the Safeguard Hyper-V zip file distributed by One Identity to setup the virtual appliance. Follow these steps to unzip the file and import:
-
Unzip the Safeguard-hyperv-prod... zip file.
-
From Hyper-V, click Options.
- Select Action, Import Virtual Machine.
-
On the Locate Folder tab, navigate to specify the folder containing the virtual machine to import then click Select Folder.
-
On the Locate Folder tab, click Next.
-
On the Select Virtual Machine tab, select Safeguard-hyperv-prod..., then click Next.
- On the Choose Import Type tab, select Copy the virtual machine (create a new unique ID), then click Next.
- On the Choose Destination tab, add the locations for the Virtual machine configuration folder, Checkpoint store, and Smart Paging folder, then click Next.
- On the Choose Storage Folders tab, identify Where do you want to store the imported virtual hard disks for this virtual machine? then click Next.
- Review the Summary tab, then click Finish.
- In the Settings, Add Hardware, connect to Safeguard's MGMT and X0 network adapter.
- Right click on the Safeguard-hyperv-prod... and click Connect... to complete the configuration and connect.
Step 3: Initial access
Initiate access using one of these methods:
- Via a virtual display: Connect to the virtual display of the virtual machine. You will not be offered the opportunity to apply a patch with this access method. Upload and download are not available from the virtual display. Continue to step 4. If you are using Hyper-V, make sure that Enhanced Session Mode is disabled for the display. See your Hyper-V documentation for details.
-
Via a browser: Configure the networking of your virtual infrastructure to proxy https://192.168.1.105 on the virtual appliance to an address accessible from your workstation then open a browser to that address. For instructions on how to do this, consult the documentation of your virtual infrastructure (for example, VMWare). You will be offered the opportunity to apply a patch with this access method. Upload and download are available from the browser. Continue to step 4.
IMPORTANT: After importing the OVA and before powering it on, check the VM to make sure it doesn't have a USB controller. If there is a USB controller, remove it.
Step 4: Complete initial setup
Click Begin Initial Setup. Once this step is complete, the appliance resumes in the Online state.
Step 5: Log in and configure Safeguard for Privileged Passwords
- If you are applying a patch, check your resources and expand the disk space, if necessary. The minimum resources are: 4 CPUs, 10GB RAM, and a 500GB disk.
- To log in, enter the following default credentials for the Bootstrap Administrator then click Log in.
- User Name: admin
-
Password: Admin123
- If you are using a browser connected via https://192.168.1.105, the Initial Setup pane identifies the current Safeguard version and offers the opportunity to apply a patch. Click Upload Patch to upload the patch to the current Safeguard version or click Skip. (This is not available when using the Safeguard Virtual Kiosk virtual display.)
- In the web management console on the Initial Setup pane, enter the following.
- Appliance Name: Enter the name of the virtual appliance.
- Windows Licensing: Select one of the following options:
-
Use KMS Server: If you leave this field blank, Safeguard will use DNS to locate the KMS Server automatically. For the KMS Server to be found, you will need to have defined the domain name in the DNS Suffixes.
If KMS is not registered with DNS, enter the network IP address of your KMS server.
-
Use Product Key: If selected, your appliance will need to be connected to the internet for the necessary verification to add your organization's Microsoft activation key.
You can update this information in Administrative Tools | Settings | Appliance | Operating System Licensing. For more information, see the Safeguard for Privileged Passwords Administration Guide, Operating system license.
- NTP: Complete the Network Time Protocol (NTP) configuration.
- Select Enable NTP to enable the protocol.
- Identify the Primary NTP Server IP address and, optionally, the Secondary NTP Server IP address.
- Network (X0): For the X0 (public) interface, enter the IPv4 and/or IPv6 information, and DNS Servers information.
- Click Save. The virtual appliance displays progress information as it configures Safeguard, the network adapter(s), and the operating system licensing.
- When you see the message Maintenance is complete, click Continue.
Step 6: Access the desktop client or use the web client
You can go to the virtual appliance's IP address for the X0 (public) interface from your browser:
- (desktop client): Log in and download the desktop client. For more information, see the Safeguard for Privileged Passwords Administration Guide, Installing the desktop client.
- (web client): Use the web client. For more information, see the Safeguard for Privileged Passwords Administration Guide, Using the web client.
Step 7: Change the Bootstrap Administrator's password
For security reasons, change the password on the Bootstrap Administrator User. For details, see the Safeguard for Privileged Passwords Administration Guide, Setting a local user's password.
View or change the virtual appliance setup
You can view or change the virtual appliance setup.
- From the web management console, click Home to see the virtual appliance name, licensing, and networking information.
- After the first setup, Safeguard for Privileged Passwords updates and networking changes can be made via the web management console by clicking Setup.
Completing the appliance setup
After setting up the hardware appliance or virtual appliance, complete these steps.
During initial installation and when applying a patch, make sure the desktop client file is the one supplied with the appliance version. If the versions are not compatible, errors will occur.
Step 1: Install the desktop client application and desktop player
NOTE: PuTTY is used to launch the SSH client for SSH session requests and is included in the install. The desktop client looks for any user-installed PuTTY in the following locations:
- Any reference to putty in the PATH environment variable
- c:/Program Files/Putty
- c:/Program Files(x86)/Putty
- c:/Putty
If PuTTY is not found, the desktop client uses the version of PuTTY that it installed at:
<user-home-dir>/AppData/Local/Safeguard/putty.
If the user later installs PuTTY in any of the locations above, the desktop client uses that version which ensures the user has the latest version of PuTTY.
Installing the Safeguard for Privileged Passwords desktop client application
-
To download the Safeguard for Privileged Passwords desktop client Windows installer .msi file, open a browser and navigate to:
https://<Appliance IP>/Safeguard.msi
Save the Safeguard.msi file in a location of your choice.
- Run the MSI package.
- Select Next in the Welcome dialog.
- Accept the End-User License Agreement and select Next.
- Select Install to begin the installation.
- Select Finish to exit the desktop client setup wizard.
- Check your desktop resolution. The desktop client works the best at a resolution of 1024 x 768 or greater.
Installing the Desktop Player
|
CAUTION: If the Desktop Player is not installed and a user tries to play back a session from the Activity Center, a message like the following will display: No Desktop Player. The Safeguard Desktop Player is not installed. Would you like to install it now? The user will need to click Yes to go to the download page to install the player following step 2 below. |
- Once the Safeguard for Privileged Passwords installation is complete, go to the Windows Start menu, Safeguard folder, and click Download Safeguard Player to be taken to the One Identity Safeguard for Privileged Sessions - Download Software web page.
-
Follow the Install Safeguard Desktop Player section of the player user guide found here:
- Go to One Identity Safeguard for Privileged Sessions - Technical Documentation.
- Scroll to User Guide and click One Identity Safeguard for Privileged Sessions [version] Safeguard Desktop Player User Guide.
-
For Safeguard Desktop player version 1.8.6 and later, ensure your signed web certificate has a Subject Alternative Name (SAN) that includes each IP address of each of your cluster members. If the settings are not correct, the Safeguard Desktop Player will generate a certificate warning like the following when replaying sessions: Unable to verify SSL certificate. To resolve this issue, import the appropriate certificates including the root CA.
New Desktop Player versions
When you have installed a version of the Safeguard Desktop Player application, you will need to uninstall the previous version to upgrade to a newer player version.
Step 2: Start the desktop client
- Log in using the Bootstrap Administrator account.
- Run the desktop client and log in with the configured IPv4 or IPv6 address for the primary interface (X0). To log in with an IPv6 address, enter it in square brackets.
- License Safeguard for Privileged Passwords using the provided license file. Go to Licensing:
- (web client): Click Settings on the left. The Settings: Appliance page displays. Click Licensing .
- (desktop client): Navigate to Administrative Tools | Settings | Appliance | Licensing.
Click to upload a new license file.
-
Designate an archive server for storing session recordings. Defining archive server configurations and assigning an archive server to an appliance are done from the desktop's Administrative Tools view:
- Go to Settings | Backup and Retention | Archive Servers to configure archive servers.
- Go to Settings | Sessions | Session Recordings Storage Management to assign an archive server to an appliance for storing recording files.
-
To configure the time zone:
- Navigate to Administrative Tools | Settings | Safeguard Access | Time Zone.
- Select the time zone in the Default User Time Zone drop-down menu.
- Ensure that your Safeguard for Privileged Passwords Appliance has the latest software version installed. To check the version:
- From the Safeguard for Privileged Passwords Desktop Client, log in with admin account credentials.
- Click Settings | Appliance | Appliance Information. The Appliance Version is displayed.
-
Go to the following product support page for the latest version:
https://support.oneidentity.com/one-identity-safeguard/download-new-releases
- If necessary, apply a patch. Wait for maintenance. If you are installing multiple patches, repeat as needed.
Changing the Bootstrap Administrator's password
The Bootstrap Administrator is a built-in account that allows you to get the appliance set up for first-time use. To keep your Safeguard for Privileged Passwords Appliance secure, once the license is added, change the default password for the Bootstrap Administrator’s account.
To change the password:
- (web client): Click your user name in the upper-right corner of the screen and select Change Password.
- (desktop client): Click your user name in the upper-right corner of the screen and select My Account then Change Password.
If this password is ever lost, you can reset it to the default of Admin123. See the Safeguard for Privileged Passwords Administration Guide, Admin password reset topic.
Step 3: Backup Safeguard for Privileged Passwords
Immediately after your initial installation of Safeguard for Privileged Passwords, make a backup of your Safeguard for Privileged Passwords Appliance.
NOTE: The default backup schedule runs at 22:00 MST, which can be modified rather than manually running a backup.
- From the Safeguard for Privileged Passwords desktop Home page, select Administrative Tools.
- In Settings, select Backup and Retention | Backups.
- Click Run Now.
Step 4: Update Safeguard for Privileged Passwords
Download the latest update from: https://support.oneidentity.com/one-identity-safeguard/.
- From the Safeguard for Privileged Passwords desktop Home page, select Administrative Tools.
- In Settings, select Appliance | Updates.
-
Click Upload a File and browse to select an update file.
NOTE: When you select a file, Safeguard for Privileged Passwords uploads it to the server, but does not install it.
- Click Install Now to install the update file immediately.
- Once you have updated Safeguard for Privileged Passwords, be sure to back up your Safeguard for Privileged Passwords Appliance.
Step 5: Add a user with Authorizer administrative permissions
The Authorizer Administrator is responsible for granting administrative access to Safeguard for Privileged Passwords.
-
From the Safeguard for Privileged Passwords desktop Home page, select Administrative Tools.
NOTE: This is where you add all the objects you need to write access request policies, such as users, accounts, and assets.
- In Administrative Tools, select Users.
- Click Add User to create a Safeguard for Privileged Passwords user with a local authentication provider and Authorizer Administrator permissions.
AuthorizerAdmin |
Test123 |
Authorizer |
The administrator responsible for granting all administrative access to Safeguard for Privileged Passwords. |
NOTE: When you choose Authorizer permissions, Safeguard for Privileged Passwords also selects User and Help Desk permissions. These additional settings cannot be cleared.
- Log out:
- In the upper-right corner of the screen, click the user avatar.
- Select Log Out.
Step 6: Change the local security policy
Before Safeguard for Privileged Passwords can reset local account passwords on Windows systems, you must change the local security policy.
- From the Windows Start menu, open Local Security Policy.
- Navigate to Local Policies | Security Options.
- Disable User Account Control: Run all administrators in Admin Approval Mode option.
- Restart your computer.
Step 7: Enable password authentication (applies to Privileged Sessions module only)
For some systems (SUSE and some Debian systems) that use SSH, you must enable password authentication in the package generated configuration file (sshd_config).
For example, in the debian sshd_config file, enable the following parameter: PasswordAuthentication yes