Chat now with support
Chat with Support

One Identity Safeguard for Privileged Passwords 6.7 - Administration Guide

Introduction System requirements and versions Using API and PowerShell tools Using the virtual appliance and web management console Cloud deployment considerations Setting up Safeguard for Privileged Passwords for the first time Using the web client Getting started with the desktop client Using the desktop client Search box Privileged access requests Toolbox Accounts Account Groups Assets Asset Groups Discovery Entitlements Partitions Settings
Access Request settings Appliance settings Asset Management settings Backup and Retention settings Certificates settings Cluster settings Enable or Disable Services settings External Integration settings Messaging settings (desktop client) Password Management settings Safeguard Access settings SSH Key Management settings
Users User Groups Disaster recovery and clusters Administrator permissions Preparing systems for management Troubleshooting Frequently asked questions Appendix A: Safeguard ports Appendix B: SPP 2.7 or later migration guidance Appendix C: SPP and SPS join guidance Appendix D: Regular Expressions SPP Glossary About us

Networking

On Networking, view and configure the primary network interface, and if applicable, a proxy server to relay web traffic, and the sessions network interface.

It is the responsibility of the Appliance Administrator to ensure the network interfaces are configured correctly.

CAUTION: For AWS or Azure, network settings user interfaces are read-only. Network settings configured by the AWS or Azure Administrator. Changing the internal network address on a clustered appliance will break the cluster and require the appliance to be unjoined/rejoined.

(web client) To modify the networking configuration settings

  1. Navigate to  Settings | Appliance | Networking.
  2. For Network X0, complete the network settings below. For more information, see Modifying the IP address.
    • MAC Address: The media access control address (MAC address), a unique identifier assigned to the network interface for communications
    • IPv4 Address: The IPv4 address of the network interface
    • IPv4 Subnet Mask: The IPv4 subnet mask of the network interface
    • IPv4 Gateway: The IPv4 default gateway
    • DNS Servers: The IP address for the primary DNS servers
    • DNS Suffixes: The network suffixes for the DNS servers
    • IP6 Address: The IPv6 address of the network interface
    • IPv6 Prefix Length: The IPv6 subnet prefix length which is range-validated. Valid values are 1 through 127 when an IPv6 address is present.
    • IPv6 Gateway: The IPv6 default gateway
  3. For the Starling Proxy Server (web client), complete the network settings below.
    • Proxy URI: The IP address or DNS name of the proxy server.
    • Port: The port number used by the proxy server to listen for HTTP requests. The value is an integer from 1 to 65535. If different ports are specified in the proxy URI and the Port field, the Port field takes precedence.
    • Username: The user name used to connect to the proxy server. The username and password are only required if your proxy server requires them to be specified.
    • Password: The password required to connect to the proxy server. The username and password are only required if your proxy server requires them to be specified.
  4. Click Show Static Routes and make changes using the information which follows. When you are done, click Save. When you click Save, a message like the following displays: Changing these values may cause all users to lose connection to the appliance. This is a general Saving network settings error and not specific to static routes.
    • Use the following toolbar buttons, as needed.
      • To add a route, click and complete the information.
      • To modify the information for a route, select the route, click Edit, and then change the information.
      • To delete a route, select the route then click Delete Static Route. The route is immediately deleted.
      • To discard unsaved changes and revert to what was last retrieved from the database, select the route and click Revert all unsaved Static Route edits.
    • The following information can be added or changed:
      • IP Version: Select IPv4 or IPv6.
      • Prefix: The IPv4 or IPv6 IP address
      • Prefix Length: The IP subnet prefix length
      • Next Hop: The IP address of the next closest or most optimal router in the routing path
      • Metric: A value that identifies the cost that is associated with using the route

(desktop client) To modify the networking configuration settings

  1. Navigate to Administrative Tools | Settings | Appliance | Networking.
  2. Click the Edit icon next to the Network Interface or Proxy Server heading to edit or configure the network properties.
  3. Complete the network settings. Click Edit icon next to the Network Interface X0 to modify information.For more information, see Modifying the IP address.
Table 125: desktop client Network Interface X0 properties
Property Description
MAC Address The media access control address (MAC address), a unique identifier assigned to the network interface for communications
IP Address

The IPv4 address of the network interface

Netmask The IPv4 network mask
Default Gateway The IPv4 default gateway
IPv6 Address The IPv6 address of the network interface
IPv6 Prefix Length The IPv6 subnet prefix length
IPv6 Gateway The IPv6 default gateway
DNS Servers The IP address for the primary DNS servers
DNS Suffixes

The network suffixes for the DNS servers

desktop client: Proxy Server X0

The Proxy Server X0 settings must be configured if your company policies do not allow devices to connect directly to the web. Once configured, Safeguard for Privileged Passwords uses the configured proxy server for outbound web requests to external integrated services, such as Starling.

NOTE: Only HTTP web proxy is supported.

Table 126: Proxy Server X0 properties

Property

Description

Proxy URI

The IP address or DNS name of the proxy server.

Port

The port number used by the proxy server to listen for HTTP requests. Value: Integer from 1 to 65535. If different ports are specified in the proxy URI and the Port field, the Port field takes precedence.

Username

The user name used to connect to the proxy server. The username and password are only required if your proxy server requires them to be specified.

Password

The password required to connect to the proxy server. The username and password are only required if your proxy server requires them to be specified.

Modifying the IP address

You can change the IP address of an SPP Appliance as long as the other appliances in the SPP cluster are able to see the new subnet.

It is recommended you use the procedure below in a test environment and then deploy the steps in production. Allow plenty of time for the IP address to change. The operation will take several minutes to complete before the cluster has adjusted to the change.

  1. Ensure you are using Safeguard for Privileged Passwords2.4 or above.
  2. Before changing the X0 IP address, make a backup.
  3. Generate a support bundle on the appliance you plan to modify the IP address on. Start with the replica first.
  4. The desktop client will give guidance on screen as you wait for the changes to be completed.
  5. After the X0 IP address change, verify clustering is working. It is recommended you change some data on the primary and verify it appears on the replica by logging on to the replica with the desktop client.
  6. Repeat step 3, 4, and 5 for the other replicas.
  7. Once the replicas are changed, proceed with the Primary.

Safeguard for Privileged Sessions (SPS) IP address change

CAUTION: When SPP and SPS are joined and then the IP address of either the SPS cluster master (Central Management role) or the SPP primary appliance are changed, then the SPP/SPS join will need to be redone. See the information that follows.

  1. Use the following information in the SPS documentation to understand SPS cluster roles, settings, and IP address updating.
  2. If the IP address is changed, you must rejoin the cluster. For more information, see Joining SPS to SPP.
  3. Once the SPS IP addresses are successfully changed, you will need to delete the session connection in the SPP settings and rejoin the SPS cluster master to the SPP primary. For more information, see SPP and SPS sessions appliance join guidance.

Operating System Licensing

Available on virtual machine only not via hardware.

It is the responsibility of the Appliance Administrator to ensure the operating system is configured. Operating system licensing is automatic in the AWS and Azure deployments.

Use the Operating System Licensing pane to view and configure the operating system of a virtual appliance.

  1. Navigate to Operating System Licensing:
    • web client: Navigate to  Settings | Appliance | Operating System Licensing.
    • desktop client: Navigate to Administrative Tools | Settings | Appliance | Operating System Licensing.
  2. Click Refresh anytime to refresh the settings.
  3. The display shows if Windows is licensed with KMS or licensed with a product key. Click Details to see additional information.

SSH Algorithms

The Appliance Administrator has the option to configure SSH Algorithms, if necessary, to restrict the algorithms used when connecting to any SSH server. The settings are applied whenever Safeguard for Privileged Passwords connects to any SSH server, either to connect to an asset using SSH or to connect to an archive server using SSH.

When an SSH client connects to a server, each side of the connection offers four lists of algorithms to use as connection parameters to the other side. These are:

  • Public Key : The public key algorithms accepted for an SSH server to authenticate itself to an SSH client
  • Cipher: The ciphers to encrypt the connection
  • Kex : The key exchange methods that are used to generate per-connection keys
  • MAC: The message authentication codes used to detect traffic modification

By default, Safeguard for Privileged Passwords offers all supported algorithms when using SSH to connect to an archive server or asset. For each algorithm type, you can configure Safeguard to offer a subset of the supported algorithms. To return to the default (support all algorithms), delete all algorithm information entered then save the changes.

For a successful connection, there must be at least one mutually-supported choice for each parameter. Safeguard for Privileged Passwords may initiate an SSH connection to an asset or archive server and not be able to negotiate a mutually-acceptable algorithm. An error is reported and an attempt is made to identify the algorithm type that could not be negotiated. Some SSH servers do not provide enough information to identify the algorithm type.

To identify SSH algorithms

  1. Navigate to SSH Algorithms:
    • web client: Navigate to  Settings| Appliance| SSH Algorithms .
    • desktop client: Navigate to Administrative Tools | Settings | Appliance | SSH Algorithms .
  2. Click Refresh anytime to refresh the settings.
  3. Enter a comma separated list of the algorithms you want in the text boxes. Leave the text box blank to allow all supported algorithms.
    • Public Key
    • Cipher
    • Kex
    • Mac
  4. Click OK (desktop client) or Save (web client).

Patch Updates

It is the responsibility of the Appliance Administrator to update or upgrade One Identity Safeguard for Privileged Passwords by installing an update file to modify the software or configuration of the running appliance. See the Download Software page for available SPP releases and version patches.

If an update fails, the audit log reflects: PatchUploadFailed.

Clustered environment

Apply the patch so all appliances in the cluster are on the same version. The procedure for patching cluster members depends on the Safeguard for Privileged Passwords version you are currently running.

  • If you are running Safeguard for Privileged Passwords 2.0.1.x or earlier, you must unjoin replica appliances, install the patch on each appliance, and then enroll the replica appliances to rebuild your cluster. For more information, see Patching cluster members in the One Identity Safeguard for Privileged Passwords 2.0 Administration Guide.
  • If you are running Safeguard for Privileged Passwords 2.1.x or 2.2.x, you can use the enhanced cluster patching feature where unjoining replica appliances is no longer required. For more information, see Patching cluster members.

To install an update file

  1. Back up your system before you install an update file. For more information, see Safeguard Backup and Restore.

  2. Go to Patch Updates:
    • web client: Navigate to  Settings | Appliance | Patch Updates.
    • desktop client: Navigate to Administrative Tools | Settings | Appliance | Updates.
  3. The current Appliance Version displays along with this information:
    • web client: The operating system level, whether the appliance is online or offline, and whether the appliance is the Primary.
    • desktop client: The operating system level, the desktop client version, and whether the appliance is online or offline.
  4. Click Upload a File and browse to select an update file. Simply uploading a file does not install the file. You must complete the next step.
    If the patch verification fails an error alert displays, click on any of the Error or Warning counts to view the errors or warnings currently logged.
  5. Once the file has successfully uploaded, click one of the following:
    • Install Now to install the update file. Respond to the confirmation dialog which includes any warnings. The install process begins and the appliance goes into maintenance mode.
      Once you install an update file, you cannot uninstall it. This button is disabled until the patch is distributed to all cluster members. If this is a single-appliance cluster distribution is not required.
    • Distribute to Cluster is disabled if there are errors. Click Distribute to Cluster to initiate the distribution of the patch to all cluster members. Clicking Cancel will stop distribution. Cluster Update Status blocks will be updated as each member receives the patch
    • Check Errors to initiate a check of pre-patch conditions. If the patch has not been distributed or if there was an error reported during validation this will only perform the check on the local appliance. If the patch has been distributed this will perform the check on all cluster members. The same warnings may be returned from each cluster member.
    • Remove is enabled when the patch is uploaded. Click Remove to remove (unstage) the patch from all cluster members.

    The Updates pane shows the upgrade progress and when the appliance has been successfully upgraded.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating