Chat now with support
Chat with Support

One Identity Safeguard for Privileged Passwords 6.0.7 LTS - Administration Guide

Introduction System requirements and versions Using API and PowerShell tools Using the virtual appliance and web management console Cloud deployment considerations Setting up Safeguard for Privileged Passwords for the first time Using the web client Getting started with the desktop client Using the desktop client Search box Privileged access requests Toolbox Accounts Account Groups Assets Asset Groups Discovery Entitlements Partitions Settings
Access Request settings Appliance settings Asset Management settings Backup and Retention settings Certificate settings Cluster settings External Integration settings Messaging settings Profile settings Safeguard Access settings
Users User Groups Disaster recovery and clusters Administrator permissions Preparing systems for management Troubleshooting Frequently asked questions Appendix A: Safeguard ports Appendix B: SPP 2.7 or later migration guidance Appendix C: SPP and SPS join guidance Appendix D: Regular Expressions SPP glossary

About backups

One Identity Safeguard for Privileged Passwords backs up the following:

  • All settings, except:

    • Appliance IP address
    • Network Time Protocol (NTP) configurations
    • Domain Name System (DNS) configuration
  • Transaction history

  • All information about Safeguard for Privileged Passwords objects:

    • Accounts
    • Account groups
    • Assets
    • Asset groups
    • Entitlements
    • Partitions
    • Users
    • User groups

Safeguard for Privileged Passwords encrypts and signs the data before it makes it available for downloading to an off-appliance storage. Only a genuine Safeguard for Privileged Passwords Appliance can decrypt the backup, and then only when it is on the appliance. This means that if a backup has been downloaded from an appliance for off-appliance storage, you must first upload it to an appliance, which will verify the signature, ensuring that it is an authentic backup for Safeguard for Privileged Passwords.

Archive servers

Archive servers are external physical servers where you store backup files and session recordings. Use the Archive Servers page on the Backup and Retention settings view to configure and manage archive servers.

Navigate to Administrative Tools | Settings | Backup and Retention | Archive Servers. The Archive Servers page displays the following information about previously configured archive servers.

Table 129: Archive Servers: Properties
Property Description
Name

The name of the archive server.

Archive Method The transfer protocol type being used.
Network Address The network DNS name or IP address used to connect to the server over the network.
Storage Path The file path where you want to store backup files on the archive server.
Description

Information about the archive server.

Use these toolbar buttons to manage archive server configurations.

Table 130: Archive Servers: Toolbar
Option Description
Add Archive Server Add an archive server. For more information, see Adding an archive server.
Delete Selected

Remove the selected archive server configuration.

Refresh Update the list of archive server configurations.
Edit Modify the selected archive server configuration.

You can store backup files on an external archive server. For more information, see Archive backup.

You can configure an automatic backup schedule and specify which archive server will be used to automatically archive after the scheduled backup. For more information, see Backup settings.

Adding an archive server

Use the Archive Servers page on the Backup and Retention settings view to configure archive servers, which can then be selected to archive a backup file or assigned to an appliance to store its session recordings.

To configure an archive server

  1. Navigate to Administrative Tools | Settings | Backup and Retention | Archive Servers.

  2. Click Add Archive Server and provide the following.

    • Name: Enter the display name for the archive server. Limit: 100 characters.
    • Description: Enter information about the archive server. Limit: 255 characters.
    • Network Address: Enter a network DNS name or the IP address used to connect to the server over the network. Limit: 255 characters.
    • Storage Path: Enter the file path where you want to store backup files on the archive server. Limit: 255 characters.
    • Archive Method: Choose a transfer protocol type:
      • CIFS: Common Internet File System
      • SCP: Secure Copy Protocol
      • SFTP: Secure File Transfer Program
    • Port: The port used by SSH to log in to the managed system. Not applicable for CIFS archive mode.
    • Authentication Type: Select the type of authentication to be used to access the archive server (not applicable for CIFS archive mode.):
      • Password (default)
      • Directory Account
      • SSH
    • SSH Key Generation and Deployment Settings: If SSH is selected as the authentication type, select one of the following settings:
      • Automatically Generate the SSH Key

      • Install and Use SSH Key from Safeguard for Privileged Passwords

      • Optionally, select Manually Deploy the SSH key check box. Browse to select the SSH key to be used.

    • Account Name: If Password or SSH is selected as the authentication type, enter the service account name.
    • Password: If Password or SSH is selected as the authentication type, enter the service account password.
    • Service Account: if Directory Account is selected as the authentication type, click Select Account to chose the service account is be used to access the archive server.
    • Auto Accept SSH Host Key: Select this check box to have Safeguard for Privileged Passwords automatically accept the SSH host key when it creates the archive server.

    • Test Connection: Click this button to verify that the appliance can communicate with this archive server. For more information, see About Test Connection.

  3. Click OK.

Once you have configured your archive servers, you need to designate a target archive for both your backup files and session recordings. For backup files, see Archive backup

Audit Log Management

Safeguard for Privileged Passwords allows you to define and schedule an audit log management task to purge audit logs from the Safeguard for Privileged Passwords Appliance and archive older audit logs to a designated archive server. Archiving audit logs allows you to keep critical and relevant data online and current while eliminating or archiving audit logs that are no longer required.

CAUTION: The initial and subsequent archiving and purging of audit logs can take hours. The cluster is locked during the process. Carefully schedule and monitor this process.

To define and schedule when to perform an audit log archival task:

  1. Navigate to Administrative Tools | Settings | Backup and Retention | Audit Log Management.

  2. Select Run Every to run the job along per the run details you enter. (If you deselect Run Every, the schedule details are lost.

    • Configure the following.

      To specify the frequency without start and end times, select from the following controls. If you want to specify start and end times, go to the Use Time Window selection in this section.

      • Minutes: The job runs per the frequency of minutes you specify. For example, Every 30 Minutes runs the job every half hour over a 24-hour period. It is recommended you do not use the frequency of minutes except in unusual situations, such as testing.

      • Hours: The job runs per the minute setting you specify. For example, if it is 9 a.m. and you want to run the job every two hours at 15 minutes past the hour starting at 9:15 a.m., select Runs Every 2 Hours @ 15 minutes after the hour.

      • Days: The job runs on the frequency of days and the time you enter.

        For example, Every 2 Days Starting @ 11:59:00 PM runs the job every other evening just before midnight.

      • Weeks The job runs per the frequency of weeks at the time and on the days you specify.

        For example, Every 2 Weeks Starting @ 5:00:00 AM and Repeat on these days with MON, WED, FRI selected runs the job every other week at 5 a.m. on Monday, Wednesday, and Friday.

      • Months: The job runs on the frequency of months at the time and on the day you specify.

        For example, If you select Every 2 Months Starting @ 1:00:00 AM along with First Saturday of the month, the job will run at 1 a.m. on the first Saturday of every other month.

    • Select Use Time Windows if you want to enter the Start and End time. You can click add or - delete to control multiple time restrictions. Each time window must be at least one minute apart and not overlap.

      For example, for a job to run every ten minutes every day from 10 p.m. to 2 a.m., enter these values:

      Enter Every 10 Minutes and Use Time Windows:

      • Start 10:00:00 PM and End 11:59:00 AM

      • Start 12:00:00 AM and End 2:00:00 AM

        An entry of Start 10:00:00 PM and End 2:00:00 AM will result in an error that the end time must be after the start time.

      If you have selected Days, Weeks, or Months, you will be able to select the number of times for the job to Repeat in the time window you enter.

      For a job to run two times every other day at 10:30 am between the hours of 4 a.m. and 8 p.m., enter these values:

      For days, enter Every 2 Days and set the Use Time Windows as Start 4:00:00 AM and End 20:00:00 PM and Repeat 2.

    • Time Zone: Select the time zone.
  1. Select an approach:
    1. Archive and delete logs:
      1. For Archive and delete audit logs older than __ days, enter the number of days that should pass before audit logs are archived to an archive server and deleted off the appliance.
      2. Select Send to archive server to store the audit logs externally from the appliance during a scheduled backup or when manually running a backup.

        Note: This option is only available if you have configured an archive server. For more information, see Adding an archive server.

      3. Click Test to test the connection to the archive server.
    2. To delete audit logs from the appliance and not back them up on an archive server, enter the days in Delete audit logs older than __ days.
  2. Click OK.
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating