Chat now with support
Chat with Support

One Identity Safeguard for Privileged Passwords 6.10 - Administration Guide

Introduction System requirements and versions Using API and PowerShell tools Using the virtual appliance and web management console Cloud deployment considerations Setting up Safeguard for Privileged Passwords for the first time Using the web client Getting started with the desktop client Using the desktop client Search box Privileged access requests Toolbox Accounts Account Groups Assets Asset Groups Discovery Entitlements Partitions Settings
Access Request settings Appliance settings Asset Management settings Backup and Retention settings Certificates settings Cluster settings Enable or Disable Services settings External Integration settings Messaging settings (desktop client) Password Management settings Real-Time Reports Safeguard Access settings SSH Key Management settings
Users User Groups Disaster recovery and clusters Administrator permissions Preparing systems for management Troubleshooting Frequently asked questions Appendix A: Safeguard ports Appendix B: SPP 2.7 or later migration guidance Appendix C: SPP and SPS join guidance Appendix D: Regular Expressions About us

SSH Key

On the Connection tab, you can configure Safeguard for Privileged Passwords to authenticate to a managed system using an SSH authentication key. To rotate SSH keys, you must select the Manage SSH Key option in the asset's profile change schedule. For more information, see Adding SSH key change settings.

NOTE: This option is not available for all operating systems. But if a Safeguard for Privileged Passwords asset requires an SSH host key and does not have one, Check SSH Key, Change SSH Key, and Test Connection will fail. For more information, see Connectivity failures.

The information that displays depends on whether you choose to automatically generate the SSH key or import and manually deploy the SSH key.

Table 63: SSH Key authentication type properties
Property Description

Change the Previous SSH Settings (available on a change)

Select this check box to install the new SSH key.

If you change the Authentication Type from a Password or None to SSH Key, select the Change the Previous SSH Settings check box to ensure the SSH key is installed. Verify the key is installed before clicking Test Connection.

Automatically Generate the SSH Key

Select this option to generate the SSH authentication key.

Manually Deploy the SSH Key

When you select Automatically Generate the SSH Key, you can select this option so that you can manually append this public key to the authorized keys file on the managed system for the service account. For more information, see Downloading a public SSH key.

The SSH authentication key becomes available after Safeguard for Privileged Passwords creates the asset. If you do not select this option, Safeguard for Privileged Passwords automatically installs the SSH authentication key. If you do select this option, Safeguard for Privileged Passwords creates the key and associates it with the Safeguard for Privileged Passwords asset you are creating, but it does not install it on the managed system for you.

Import and Manually Deploy the SSH Key

Select this option, then Browse to import an SSH authentication key and enter the Password.

NOTE:Safeguard for Privileged Passwords does not currently manage the options for an authorized key. If an imported key has any options configured in the authorized keys file on the asset, these options will not be preserved when the key is rotated by Safeguard for Privileged Passwords.

Key Comment

(Optional) Enter a description of this SSH key. Maximum length of 225 characters.

Service Account Name

Enter the service account name that Safeguard for Privileged Passwords is to use for management tasks. This is the account Safeguard for Privileged Passwords uses to install the SSH authentication key on the asset. For more information, see About service accounts.

Service Account SSH Key

If not importing the SSH authentication key, then you must enter the service account SSH Key Safeguard for Privileged Passwords needs to authenticate to this managed system.

Limit: 255 characters

Privilege Elevation Command

If required, enter a privilege elevation command (such as sudo). This is used as a prefix for commands that require privileged access on the system and to manage accounts on Unix-based systems; that is, to check and change SSH keys and to discover accounts.

Sudo commands follow.

  • AuthorizedKeyCommand
Specify a program to look up the user's public keys
  • cat
  • chmod
  • chown
  • chuser
  • cp
  • dscacheutil
  • dscl
  • echo
  • egrep
  • find
  • grep
  • host
  • ls
  • mkdir
  • modprpw (hpux only)
  • mv
  • psswd
  • pwdadm
  • rm
  • sed
  • sshd
  • ssh-keygen
  • tee
  • test
  • touch
  • usermod

When adding an asset, this command is used to perform Test Connection. For more information, see About Test Connection.

The privilege elevation command must run non-interactively, that is, without prompting for a password. For more information, see Preparing Unix-based systems.

The limit is 255 characters.

Auto Accept SSH Host Key

Select this option to have Safeguard for Privileged Passwords automatically accept the SSH host key when it creates the Safeguard for Privileged Passwords asset.

When this option is selected, Safeguard for Privileged Passwords displays the thumbprint of the SSH host key that was discovered. When a managed system requiring an SSH host key does not have one, Check SSH Key will fail. For more information, see Connectivity failures.

Test Connection

Click this button to verify that Safeguard for Privileged Passwords can log in to this asset using the service account credentials you have provided. For more information, see About Test Connection.

As noted earlier: If you change the Authentication Type from a Password or None to SSH Key, select the Change the Previous SSH Settings check box to ensure the SSH key is installed. Verify the key is installed before clicking Test Connection.

Service Account Password Profile

 Click Edit to add the profile or Remove to delete the assigned profile. Available profiles are based on the partition selected on the General tab (asset discovery). To update the profile later, go to the service account and update the profile. For more information, see General tab (account).

Service Account SSH Key Profile

Click Edit to add the profile or Remove to delete the assigned profile. Available profiles are based on the partition selected on the General tab (asset discovery). To update the profile later, go to the service account and update the profile. For more information, see General tab (account).
Port

Enter the port number used by SSH to log in to the managed system.

Required

Connection Timeout

Enter the command timeout period. This option applies only to platforms that use telnet or SSH.

Default: 20 seconds

(Custom platform operation

e.g Check System Properties)

If there is a custom parameter in the custom platform script, enter the custom parameter here. The list of system parameters are here: Writing a custom platform script. Any parameter not in the list is a custom parameter.

Directory Account

NOTE: Only available for some types of directory accounts.

On the Connection tab, you can configure Safeguard for Privileged Passwords to authenticate to a managed system using an account from an external identity store such as Microsoft Active Directory. In order to use this authentication type, you must first add a directory asset to Safeguard for Privileged Passwords and add domain user accounts. Managed account users cannot be members of the Protected Users AD Security Group. For more information, see Accounts.

Table 64: Directory Account authentication type properties
Property Description
Service Account Name

Click Select Account. Choose the service account name used for management tasks. The accounts available for selection are domain user accounts that are linked to a directory that was previously added to Safeguard for Privileged Passwords.

Service Account Password

If required, enter the password used to authenticate.

Privilege Elevation Command

If required, enter a privilege elevation command (such as sudo). This is used as a prefix for commands that require privileged access on the system and to manage accounts on Unix-based systems; that is, to check and change SSH keys and to discover accounts.

Sudo commands follow.

  • AuthorizedKeyCommand
Specify a program to look up the user's public keys
  • cat
  • chmod
  • chown
  • chuser
  • cp
  • dscacheutil
  • dscl
  • echo
  • egrep
  • find
  • grep
  • host
  • ls
  • mkdir
  • modprpw (hpux only)
  • mv
  • psswd
  • pwdadm
  • rm
  • sed
  • sshd
  • ssh-keygen
  • tee
  • test
  • touch
  • usermod

When adding an asset, this command is used to perform Test Connection. For more information, see About Test Connection.

The privilege elevation command must run non-interactively, that is, without prompting for a password. For more information, see Preparing Unix-based systems.

The limit is 255 characters.

Test Connection

Click this button to verify that Safeguard for Privileged Passwords can log in to this asset using the service account credentials you have provided. For more information, see About Test Connection.

Service Account Profile

  • Click Edit to add the profile or Remove to delete the assigned profile. Available profiles are based on the partition selected on the General tab (asset discovery). To update the profile later, go to the service account and update the profile. For more information, see General tab (account).
  • Use Named Pipe for service account connection

    Select to use the Named Pipe when connecting to the asset. Clear this check box to use TCP/IP when connecting to the asset.

    Use SSL Encryption

    Select this option to enable Safeguard to encrypt communication with this asset. If you do not select this option for a MicrosoftSQL Server that is configured to force encryption, Test Connection will use untrusted encryption and succeed with valid credentials. For more information about how Safeguard database servers use SSL, see How do Safeguard for Privileged Passwords database servers use SSL.

    Verify SSL Certificate

    Use this option to enable or disable SSL Certificate verification on the asset. When enabled, Safeguard for Privileged Passwords compares the signing authority of the certificate presented by the asset to the certificates in the Trusted CA Certificates store every time Safeguard for Privileged Passwords connects to the asset. Trust must be established for Safeguard for Privileged Passwords to manage the asset. For Safeguard for Privileged Passwords to verify an SSL certificate, you must add the asset's signing authority certificate to the Trusted CA Certificates store. Only clear the Verify SSL Certificate option if you do not want to establish trust with the asset’s

    Privilege Level Password If required, enter the system enable password to allow access to the Cisco configuration.
    Auto Accept SSH Host Key

    Select this option to have Safeguard for Privileged Passwords automatically accept an SSH host key. When an asset requiring an SSH host key does not have one, Check Password will fail. For more information, see Connectivity failures.

    Instance

    Specify the Instance name if you have configured multiple instances of a SQL Server on this asset. If you have configured a default (unnamed) instance of the SQL Server on the host, you need to provide the IP address and port number.

    Port

    Enter the port number to log in to the asset. This option is not available for all operating systems.

    Connection Timeout

    Enter the directory connection timeout period. Default: 20 seconds.

    Starling Connect

    On the Connection tab, you can configure Safeguard for Privileged Passwords to authenticate to a registered connector in Starling Connect. In order to use this authentication type, you must first register a Starling Connect connector. For more information, see Registered Connectors.

    Table 65: Starling Connect authentication type properties
    Property Description
    Test Connection

    Click this button to verify that Safeguard for Privileged Passwords can log in to this asset using the service account credentials you have provided. For more information, see About Test Connection.

    Connection Timeout

    Enter the directory connection timeout period. Default: 20 seconds.

    Local System Account

    On the Connection tab, you can configure Safeguard for Privileged Passwords to authenticate to a managed SQL Server using a local system account and password. The local system account is a Windows user account on the server that is hosting the SQL database.

    NOTE: In order to use this authentication type, you must add both a Windows asset and a SQL Server asset to Safeguard for Privileged Passwords.

    Table 66: Local System Account authentication type properties
    Property Description
    Service Account

    Click Select Account to choose the local system account associated with the SQL Server for Safeguard for Privileged Passwords to use for management tasks.

    Test Connection

    Click this button to verify that Safeguard for Privileged Passwords can log in to this asset using the local system account credentials you have provided. For more information, see About Test Connection.

    Use Named Pipe for service account connection

    Select to use the Named Pipe when connecting to the asset. Clear this check box to use TCP/IP when connecting to the asset.

    Advanced

    Open to reveal the following settings:

    As Privilege

    Specify the Oracle privilege level to use when connecting with the selected Oracle service account, if required. The Oracle SYS account requires the privilege level SYSDBA or SYSOPER. For details, see the Oracle document, About Administrative Accounts and Privileges and SYSDBA and SYSOPER System Privileges.

    Instance (Service Name)

    Specify the Instance name if you have configured multiple instances of a SQL Server on this asset. If you have configured a default (unnamed) instance of the SQL Server on the host, you need to provide the IP address and port number.

    Specify the Service Name if you are configuring an Oracle asset.

    Port

    Enter the port number to log in to the asset.

    Connection Timeout

    Enter the SQL server connection timeout period.

    Default: 20 seconds

    Related Documents

    The document was helpful.

    Select Rating

    I easily found the information I needed.

    Select Rating