Chat now with support
Chat with Support

One Identity Safeguard for Privileged Passwords 6.10 - Administration Guide

Introduction System requirements and versions Using API and PowerShell tools Using the virtual appliance and web management console Cloud deployment considerations Setting up Safeguard for Privileged Passwords for the first time Using the web client Getting started with the desktop client Using the desktop client Search box Privileged access requests Toolbox Accounts Account Groups Assets Asset Groups Discovery Entitlements Partitions Settings
Access Request settings Appliance settings Asset Management settings Backup and Retention settings Certificates settings Cluster settings Enable or Disable Services settings External Integration settings Messaging settings (desktop client) Password Management settings Real-Time Reports Safeguard Access settings SSH Key Management settings
Users User Groups Disaster recovery and clusters Administrator permissions Preparing systems for management Troubleshooting Frequently asked questions Appendix A: Safeguard ports Appendix B: SPP 2.7 or later migration guidance Appendix C: SPP and SPS join guidance Appendix D: Regular Expressions About us

Creating an import file

When importing objects, such as accounts, assets, or users, Safeguard for Privileged Passwords expects the import file to be a Comma Separated Values (CSV) file.

A CSV file is a text file used to store database entries where each line is a unique record and each record consists of fields of data separated by commas. You must not add any trailing spaces in the properties you define in the CSV file. The easiest way to create a CSV file is by using a spreadsheet program such as Microsoft Excel; however, you can use any text editor, such as Notepad, to create a comma-delineated file, as long as you save the file with a .csv file type extension.

The order of the columns is not important, but the title of the column must match the property name.

To create a customized .csv file template

  1. In the Import dialog, click CSV Template Assistant.
  2. Select specific template properties from the template properties table, or select the select all check box in the heading. Safeguard for Privileged Passwords preselects the required properties; you can select any additional properties you desire.

  3. Select Download Template to save a copy of the template properties table to a location of your choice.

    • Click the View icon in the Values column to display a list of allowable values. Click Copy to copy the selected value to your copy buffer which can then be pasted into your CSV file.
    • Click Export Full Table, in upper the right corner above the properties table, to save a copy of the properties table.
  4. Locate the downloaded template and add your specific information to the template.

    • Users AdminRoles property: The value for the Authorizer Administrator is "GlobalAdmin".
  5. Use the customized .csv file to import the objects.

Considerations for valid and invalid data

Safeguard for Privileged Passwords does not add an object if any column contains invalid data in the .csv file, with the following exceptions:

  • Assets PlatformDisplayName property:
    • If Safeguard for Privileged Passwords does not find an exact match, it looks for a partial match. If it finds a partial match, it supplies the <platform> Other platform, such as Other Linux.
    • If it does not find a partial match, it supplies the Other platform type.
  • Users TimeZoneId property: If Safeguard for Privileged Passwords does not find a valid TimeZoneId property (that is, does not find an exact match or no time zone was provided), it uses the local workstation's current time zone. Do not enter numbers or abbreviations for the TimeZoneId.
  • Users Password property: Safeguard for Privileged Passwords adds a user without validating the password you provide.

Checking, changing, or setting an account password

The Asset Administrator can manually check, change, or set an account password from the Account Security menu.

To manually check, change, or set an account password

  1. Navigate to Administrative Tools | Accounts.
  2. In Accounts, select an account from the object list.
  3. Click  Account Security from the toolbar. You can also right-click the account name then click  Account Security.

    Select one of these options. You can view the progress and results of the Check and Change options in the Toolbox | Tasks pane. For more information, see Viewing task status.

    • Check Password to verify the account password is in sync with the Safeguard for Privileged Passwords database. If the password verification fails, you can change it.
    • Change Password to reset and synchronize the account password with the Safeguard for Privileged Passwords database.
    • Set Password to set the account password in the Safeguard for Privileged Passwords database. The Set option does not change the account password on the asset. The Set Password option provides the following options.
      •  Manual Password: Select this option to manually set the account password in the Safeguard for Privileged Passwords database.
        1. Click Manual Password to display the Set Password dialog.
        2. In the Set Password dialog, enter and confirm the password. Click OK to update the Safeguard for Privileged Passwords database.
        3. Set the account password on the physical device to synchronize it with the Safeguard for Privileged Passwords database.
      • Generate Password: Select this option to have Safeguard for Privileged Passwords generate a new random password, that complies with the password rule that is set in the account's profile.
        1. Click Generate Password to display the Generate Password dialog.
        2. Click Show Password to reveal the new password.
        3. Click  Copy to put it into your copy buffer.
        4. Log in to your device, using the old password, and change it to the password in your copy buffer.
        5. Click OK to change the password in the Safeguard for Privileged Passwords database or click Cancel to close the dialog without changing the current password in Safeguard for Privileged Passwords.

Viewing password archive

The Asset Administrator can access a previous password for an account for a specific date.

The Password Archive dialog only displays previously assigned passwords for the selected asset based on the date specified. This dialog does not display the current password for the asset. The password archive is never purged.

You view an account's password validation and reset history on the Check and Change Log tab.

To access an account's previous password

  1. Navigate to Administrative Tools | Accounts.
  2. In Accounts, right-click an account name and choose Password Archive.

    Or, click Password Archive from the toolbar.

  3. In the Password Archive dialog, select a date. If you select today's date (or a previous date) and no entries are returned, this indicates that the asset is still using the current password.

  4. In the View column, click to display the password that was assigned to the asset at that given date and time.
  5. In the details dialog, click Copy to copy the password to your copy buffer, or click OK to close the dialog.

Checking, changing, or setting an SSH key

The Asset Administrator can manually check, change, or set an SSH key from the Account Security menu.

To manually check, change, or set an SSH key

  1. Navigate to Administrative Tools | Accounts.
  2. In Accounts, select an account from the object list.
  3. Click  Account Security from the toolbar. You can also right-click the account name then click  Account Security.

    Select one of these option. You can view the progress and results of the Check and Change options in the Toolbox | Tasks pane. For more information, see Viewing task status.

    • Check SSH Key to verify the account SSH key is in sync with the Safeguard for Privileged Passwords database. If the SSH key verification fails, you can change it.
    • Change SSH Key to reset and synchronize the SSH key with the Safeguard for Privileged Passwords database. For service accounts, use this selection and do not use Generate SSH Key to change the SSH key.
    • Set SSH Key to set the SSH key in the Safeguard for Privileged Passwords database. The Set SSH Key option does not change the account SSH key on the asset. The Set SSH Key option provides the following options.
      • Generate: Generate a new SSH key and assign it to the account. The SSH key complies with the SSH key rule that is set in the account's profile.

        CAUTION: Do not generate a new SSH key for a service account because the connection to the asset will be lost. Instead, use Account Security : Change SSH Key.

        After you select Generate, the key is generated and saved in the Safeguard for Privileged Passwords database. The following fields display.

        • Account: The account name
        • Fingerprint: The fingerprint of the SSH key used for authentication
        • Key Comment: Information about the SSH key
        • Type: The SSH authentication key type, such as RSA or DSA. For more information, see SSH Key Management settings.
        • Length: The length of the SSH authentication key. For more information, see SSH Key Management settings.
        • Public Key: The generated key; click  Copy to put it into your copy buffer. You can then log in to your device, using the old SSH key, and change it to the SSH key in your copy buffer.
      • Import: Import a private key file for an SSH key that has been generated outside of Safeguard for Privileged Passwords and assign it to the account. Click Browse to import the key file, enter a Password, then click OK.

        When importing an SSH key that has already been manually configured for an account on an asset, it is recommended that you first verify that the key has been correctly configured before importing the key. For example, you can run an SSH client program to check that the private key can be used to login to the asset: ssh -i <privatekeyfile> -l <accountname> <assetIp>. Refer to the OpenSSH server documentation for the target platform for more details on how to configure an authorized key.

        NOTE:Safeguard for Privileged Passwords does not currently manage the options for an authorized key. If an imported key has any options configured in the authorized keys file on the asset, these options will not be preserved when the key is rotated by Safeguard for Privileged Passwords.

      • Install: If not already configured, install the account's current SSH key on the asset in the correct file for the account.
      • Verify: Check that the account's current SSH key is configured in the correct file for the account on the asset. A warning is displayed if the authorized key file permissions has identifiable issues (such as the permissions are too open and configuration settings issues exist). The verification process can not identify all potential issues, so Verify may run successfully but the key will not work when you try to authenticate.
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating