Chat now with support
Chat with Support

One Identity Safeguard for Privileged Passwords 6.7 - Administration Guide

Introduction System requirements and versions Using API and PowerShell tools Using the virtual appliance and web management console Cloud deployment considerations Setting up Safeguard for Privileged Passwords for the first time Using the web client Getting started with the desktop client Using the desktop client Search box Privileged access requests Toolbox Accounts Account Groups Assets Asset Groups Discovery Entitlements Partitions Settings
Access Request settings Appliance settings Asset Management settings Backup and Retention settings Certificates settings Cluster settings Enable or Disable Services settings External Integration settings Messaging settings (desktop client) Password Management settings Safeguard Access settings SSH Key Management settings
Users User Groups Disaster recovery and clusters Administrator permissions Preparing systems for management Troubleshooting Frequently asked questions Appendix A: Safeguard ports Appendix B: SPP 2.7 or later migration guidance Appendix C: SPP and SPS join guidance Appendix D: Regular Expressions SPP Glossary About us

What's new in version 6.7

One Identity Safeguard for Privileged Passwords introduces the following new features and enhancements in this version.

Audit log synchronization, archive, and purge (191603)

Audit log synchronization, archive, and purge has been enhanced. Appliance Administrators can configure Safeguard for Privileged Passwords to perform weekly maintenance, audit log purge, and audit log archiving. Navigate to Administrative Tools | Settings | Backup and Retention | Audit Log Maintenance.

For more information, see Audit Log Maintenance.

Backup protection (191610)

For maximum backup protection, Appliance Administrators can configure backup protection which will encrypt all backups generated from all appliances in the cluster.

  • Appliance (default): Backups are encrypted as a genuine Safeguard backup and can only be decrypted on a Safeguard appliance.
  • Password: Backups are encrypted as a genuine Safeguard backup and can only be decrypted on a Safeguard appliance. In addition, backups are encrypted with the provided password. The password is required to restore the backup.
  • GNU Privacy Guard (GPG) public key (RSA only): Backups are encrypted as a genuine Safeguard backup and can only be decrypted on a Safeguard appliance. In addition, when a backup is downloaded or archived it is encrypted with the provided GPG public key. The private key is required to unencrypt the backup prior to uploading to a Safeguard appliance.

Once set, future backups created manually or automatically are protected.

Safeguard for Privileged Passwords detects the attempted upload of an invalid backup. An audit event is created for the failed backup load with the error reasons which will include an invalid signature.

Backup protection is set on Administrative Tools | Settings | Backup and Retention | Safeguard Backup and Restore then click Settings and select Backup Protection Settings.

For more information, see Safeguard Backup and Restore.

Configure syslog servers that require TLS (191512)

Policy Security Administrators can configure the network protocol and syslog header type. For TCP (RCF 5424), you can specify TLS encryption and authentication (Client Certificate and Server Certificate).

  • web client: Navigate to  Settings| External Integration | Syslog.
  • desktop client: Navigate to Administrative Tools | Settings | External Integration | Syslog.

For more information, see Syslog.

Login notification and desktop client inactivity timeout (237174)

When configured by Appliance Administrators, login notifications are now displayed to all users prior to login. This requires users to consent to notifications and restrictions before they can log in. Be cautious in regards to including sensitive information in your login notification as it can be viewed by anyone without requiring authentication. The default is no login notification (access banner). For details, see:

  • web client: Navigate to  Settings| Safeguard Access | Messaging.
  • desktop client: Navigate to Administrative Tools | Settings | Messaging | Login Notification.

Appliance Administrators can now specify an inactivity timeout for the desktop client application, similar to what exists with the web client application. The default for the new desktop client application inactivity timeout is 1440 minutes (24 hours), after which the user will automatically be logged out.

  • web client: Navigate to  Settings| Safeguard Access | Local Login Control.
  • desktop client: Navigate to Administrative Tools | Settings | Safeguard Access | Login Control.

Specify domain controller for Active Directory (225824)

Appliance Administrators can identify which domain controllers to use with the Specify domain controllers selection. If not specified, Safeguard for Privileged Passwords uses the domain controllers recommended from a DNS and CLDAP ping, as usual. In the Safeguard for Privileged Passwords Administration Guide, see:

Security enhancements (234139)

Trusted Servers, CORS, and Redirects

An Appliance Administrator can restrict login redirects and Cross Origin Resource Sharing (CORS) requests to the specified list of IP addresses, host names (including DNS wildcards), and CIDR notation networks.

  • web client: Navigate to  Settings| External Integration | Trusted Servers, CORS and Redirects.
  • desktop client: Navigate to Administrative Tools | Settings | External Integration | Trusted Servers, CORS and Redirects.

For more information, see Trusted Servers, CORS, and Redirects.

Secure token service login timeout

An Appliance Administrator can set select Enable Secure Token Service Login Timeout to set 15 minute expiration time for session based cookies used during login. Typically, a session based cookie does not expire and is deleted by the browser/user-agent when closed. Setting an expiration time adds security and can prevent some replay attacks.

  • web client: Navigate to  Settings| Safeguard Access | Local Login Control.

  • desktop client: Navigate to Administrative Tools | Settings| | Safeguard Access | Login Control.

For more information, see Local Login Control.

SMTP authentication (191605)

Appliance Administrators can ensure only authenticated access is allowed to the mail server by configuring the SMTP client to support authentication. Authentication is set on Administrative Tools | Settings | External Integration | Email.

SSH algorithms (210503)

An Appliance Administrator can restrict the SSH algorithms that are negotiated between Safeguard for Privileged Passwords and managed assets.

  • web client: Navigate to  Settings| Appliance| SSH Algorithms .
  • desktop client: Navigate to Administrative Tools | Settings | Appliance | SSH Algorithms .

For more information, see SSH Algorithms.

Time zone handling updates (225573)

User Administrators control whether end users can set their time zone. Navigate to Settings | Safeguard Access | Time Zone and select or deselect the Allow users to modify their own time zone check box. The check box is selected by default.

The time zone of a user controls the time displayed in the user interface and Activity Center downloads. The Time Zone can be set in both the desktop client ( user avatar, My Account) and web client ( Dashboard Settings | General tab).

TLS audit event logging and debug logging (240492)

TLS audit event logs

You can enable the TLS audit event logging which is automatically sent to the debug logs (available via a Support Bundle). If a syslog server is configured, the TLS audit event logging will also go to the syslog server (cluster-wide).

TLS audit events include connection, closure, and failures. Failures include the reason, the initiator, and the target. For example, a certificate validation failure will include the initiator and the target. web client only: Navigate to  Settings| External Integration | Syslog Events. For more information, see Syslog Events.

Debug logs

You can send debug logs to an existing syslog server. Debug logging is appliance specific.

web client only: Navigate to Settings | Appliance | Debug. For more information, see Debug.

Undelete objects (244820)

For more information, see Using the API.

Administrator users can:

  • Undelete objects they have accidentally deleted
  • Permanently delete objects that have been deleted

The work is done via the API using these endpoints.

  • https://<network address>/service/core/v3/Deleted/Assets
  • https://<network address>/service/core/v3/Deleted/AssetAccounts
  • https://<network address>/service/core/v3/Deleted/Users
  • https://<network address>/service/core/v3/Deleted/PurgeSettings

For more information, see Using the API.

Web client for Appliance Administrator (220279)

An Appliance Administrator can perform most activities on the web client without needing to install the Windows desktop client.

Changes to expired access requests (239692)

Administrators can now clear (Close or Acknowledge) access requests in the Pending Acknowledgment state. In addition, expired requests will be automatically cleared at a faster rate (approximately every hour).

Appliance specifications

The Safeguard for Privileged Passwords Appliance is built specifically for use only with the Safeguard for Privileged Passwords privileged management software that is already installed and ready for immediate use. It comes hardened to ensure the system is secure at the hardware, operating system, and software levels.

The following two tables list the One Identity Safeguard for Privileged Passwords 3000 Appliance and 2000 Appliance specifications and power requirements.

Table 2: 3000 Appliance: Feature specifications
3000 Appliance Feature / Specification
Processor Intel Xeon E3-1275v6 3.8 GHz
# of Processors 1
# of Cores per Processor 4 cores (8 threads)
L2/L3 Cache 8MB L3 Cache
Chipset Intel C236 Chipset
DIMMs

Unbuffered ECC UDIMM DDR4 2400MHz

RAM 32 GB
Internal HD Controller LSI MegaRAID SAS 9361-4i Single
Disk Hard Drive 4 x Seagate 7E2000 2TB SAS 512E
Availability TPM 2.0, EEC Memory, Redundant PSU
I/O Slots x16 PCIe 3.0, x8 PCIe 3.0
RAID RAID10
NIC/LOM 4 port - dual GbE LAN with Intel i210-AT
Power Supplies

Redundant, 700W, Auto Ranging (100v~240V), ACPI compatible

Fans 1 Supermicro SNK-P0046P and 2 Micron 16GB 2666MHz 2R ECC Unb Z01B Dual Label
Chassis 1U Rack

Dimensions

(HxWxD)

43 x 437.0 x 597.0 (mm)

1.7 x 17.2 x 23.5 (in)

Weight Max: 37 lbs (16.78 Kg)

 

Table 3: 2000 Appliance: Feature specifications
2000 Appliance Feature / Specification
Processor Intel Xeon E3-1275v5 3.60 GHz
# of Processors 1
# of Cores per Processor 4
L2/L3 Cache 4 x 256KB L2, 8MB L3 SmartCache
Chipset Intel C236 Chipset
DIMMs DDR4-2400 ECC Unbuffered DIMMs
RAM 32GB
Internal HD Controller LSI MegaRAID SAS 9391-4i 12Gbps SAS3
Disk 4 x Seagate EC2.5 1TB SAS 512e
Availability TPM 2.0, EEC Memory, Redundant PSU
I/O Slots x16 PCIe 3.0, x8 PCIe 3.0
RAID RAID10
NIC/LOM 3 x Intel i210-AT GbE
Power Supplies Redundant, 700W, Auto Ranging (100v~240V), ACPI compatible
Fans 4 x 40mm Counter-rotating, Non-hot-swappable
Chassis 1U Rack

Dimensions

(HxWxD)

43 x 437.0 x 597.0 (mm)

1.7 x 17.2 x 23.5 (in)

Weight Max: 46 lbs (20.9 Kg)
Miscellaneous FIPS Compliant Chassis
Table 4: 3000 Appliance and 2000 Appliance: Power requirements
Input Voltage 100-240 Vac
Frequency 50-60Hz
Power Consumption (Watts) 170.9
BTU 583

Safeguard for Privileged Passwords is also available as a virtual appliance and from the cloud. For details see:

System requirements and versions

One Identity Safeguard for Privileged Passwords has several graphical user interfaces that allow you to manage access requests, approvals, and reviews for your managed accounts and systems:

  • The Windows desktop client consists of an end-user view and administrator view. The fully featured desktop client exposes all of the functionality of Safeguard based on the role of the authenticated user.
  • The web client is functionally similar to the desktop client end-user view and useful for requestors, reviewers, and approvers. Many administration functions are available as well.
  • The web management console displays whenever you connect to the virtual appliance and is used for first time configuration.
    When setting up a virtual environment, carefully consider the configuration aspects such as CPU, memory availability, I/O subsystem, and network infrastructure to ensure the virtual layer has the necessary resources available. See One Identity's Product Support Policies for more information on environment virtualization.

Ensure that your system meets the minimum hardware and software requirements for these clients.

If a Safeguard Sessions Appliance is joined to Safeguard for Privileged Passwords, session recording is handled via Safeguard for Privileged Session. The join is initiated from Safeguard for Privileged Sessions. For details about the join steps and issue resolution, see the One Identity Safeguard for Privileged Sessions Administration Guide.

Bandwidth

It is recommended that connection, including overhead, is faster than 10 megabits per second inter-site bandwidth with a one-way latency of less than 500 milliseconds. If you are using traffic shaping, you must allow sufficient bandwidth and priority to port 655 UDP/TCP in the shaping profile. These numbers are offered as a guideline only in that other factors could require additional network tuning. These factors include but are not limited to: jitter, packet loss, response time, usage, and network saturation. If there are any further questions, please check with your Network Administration team.

Desktop client system requirements

The desktop client is a native Windows application suitable for use on end-user machines. You install the desktop client by means of an MSI package that you can download from the appliance web client portal. You do not need administrator privileges to install One Identity Safeguard for Privileged Passwords.

NOTE: PuTTY is used to launch the SSH client for SSH session requests and is included in the install. The desktop client looks for any user-installed PuTTY in the following locations:

  • Any reference to putty in the PATH environment variable
  • c:/Program Files/Putty
  • c:/Program Files(x86)/Putty
  • c:/Putty

If PuTTY is not found, the desktop client uses the version of PuTTY that it installed at:

<user-home-dir>/AppData/Local/Safeguard/putty.

If the user later installs PuTTY in any of the locations above, the desktop client uses that version which ensures the user has the latest version of PuTTY.

Table 5: Desktop client requirements
Component Requirements
Technology

Microsoft .NET Framework 4.6 (or later)

Windows platforms

64-bit editions of:

  • Windows 7
  • Windows 8.1
  • Windows 10
  • Windows Server 2008 R2
  • Windows Server 2012
  • Windows Server 2012 R2
  • Windows Server 2016
  • Windows Server 2019

If the appliance setting, TLS 1.2 Only is enabled, (Administrative Tools | Settings | Appliance | Appliance Information), ensure the desktop client also has TLS 1.2 enabled. If the client has an earlier version of TLS enabled, you will be locked out of the client and will not be able to connect to Safeguard for Privileged Passwords.

IMPORTANT: The Windows 7 Desktop client has additional requirements in order to enable TLS 1.2. For information, see Update to enable TLS 1.1 and TLS 1.2 as default secure protocols in WinHTTP in Windows.

Considerations:

  • Internet Explorer security must be set to use TLS 1.0 or higher. Ensure the proper "Use TLS" setting is enabled on the Advanced tab of the Internet Options dialog (In Internet Explorer, go to Tools | Internet Options | Advanced tab).
  • To use FIDO2 two-factor authentication, you will need a web browser that supports the WebAuthn standard.

Desktop Player

See One Identity Safeguard for Privileged Sessions [version] Safeguard Desktop Player User Guide available at: One Identity Safeguard for Privileged Sessions - Technical Documentation, User Guide.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating