Chat now with support
Chat with Support

One Identity Safeguard for Privileged Passwords 6.7 - Administration Guide

Introduction System requirements and versions Using API and PowerShell tools Using the virtual appliance and web management console Cloud deployment considerations Setting up Safeguard for Privileged Passwords for the first time Using the web client Getting started with the desktop client Using the desktop client Search box Privileged access requests Toolbox Accounts Account Groups Assets Asset Groups Discovery Entitlements Partitions Settings
Access Request settings Appliance settings Asset Management settings Backup and Retention settings Certificates settings Cluster settings Enable or Disable Services settings External Integration settings Messaging settings (desktop client) Password Management settings Safeguard Access settings SSH Key Management settings
Users User Groups Disaster recovery and clusters Administrator permissions Preparing systems for management Troubleshooting Frequently asked questions Appendix A: Safeguard ports Appendix B: SPP 2.7 or later migration guidance Appendix C: SPP and SPS join guidance Appendix D: Regular Expressions SPP Glossary About us

Run Now

You can click Run Now to manually trigger and create a new backup. If password or GNU Privacy Guard (GPG) encryption is set for appliance or on the primary appliance for cluster-wide encryption, those encryption settings are enforced when you select Run Now.

If you have selected Send to archive server, the backup will be sent to the archive server. For more information, see Backup settings.

To create a new backup

  1. Navigate to Safeguard Backup and Restore:
    • web client: Navigate to  Settings | Backup and Retention | Safeguard Backup and Restore.
    • desktop client: Administrative Tools | Settings | Backup and Retention | Safeguard Backup and Restore.
  2. Click  Run Now. In the web client, an Adding backup file progress bar displays to let you know the process is Running.
  3. If password encryption is required on an appliance or a primary appliance for cluster-wide backup encryption, you are prompted to enter the password. If encryption is set, make sure the password or private GPG key is available for restoring the backup later, if necessary. For more information see, Backup and restore, Backup protection settings.
  4. Verify that the Safeguard Backup File (.sgb) has been created.

Caution: If you restore a backup that is older than the Maximum Password Age set in the Local Login Control settings, all user accounts (including the bootstrap administrator) will be locked out and you will have to reset all of the user account passwords. To avoid this situation, you can reset the Maximum Password Age to zero before you perform the backup, then reset it after the restore.

TIP:As a best practice, perform backups more frequently than the Maximum Password Age setting.

Caution: Safeguard for Privileged Passwords can not restore any access request workflow events in process at the time of a backup.

Download a backup

Safeguard for Privileged Passwords allows you to save a selected backup file in a location on your computer. Safeguard for Privileged Passwords copies the selected backup file; it does not remove the backup from the list displayed on the Backup and Restore page. To remove a file from the list display, select the file and click Remove.

To download the backup file

  1. Go to Safeguard Backup and Restore:
    • web client: Navigate to  Settings | Backup and Retention | Safeguard Backup and Restore.
    • desktop client: Navigate to Administrative Tools | Settings | Backup and Retention | Safeguard Backup and Restore.
  2. Select a backup file and click Download.
  3. Based on your client:
    • web client: The .sgb file is downloaded to the browser's Download folder as defined in the browser settings. The file has a name similar to the following which includes the date: 946d66a4fecb4359a8b01fab75519d80_Safeguard_Backup_20200617-165625.sgb
      When y
    • desktop client: Browse to select a location of your choice. Give the file a name and click OK.

Upload a backup

Safeguard for Privileged Passwords allows you to retrieve a Safeguard Backup File (.sgb) from a file location and add it to the Safeguard for Privileged Passwords Backup and Restore page list for the appliance. For more information, see Restore a backup.

Safeguard for Privileged Passwords detects all attempted uploads of an invalid backup. If a backup is GNU Privacy Guard (GPG) encrypted, a message like the following displays: The uploaded file could not be validated as a genuine Safeguard backup image. It has been blocked from the appliance. An audit event is created for the failed backup load with the error reasons which include an invalid signature.

To upload a backup file

  1. If a GPG public key was used to encrypt the backup, the private key holder must decrypt the Safeguard Backup File (.sgb) before it can be uploaded to Safeguard for Privileged Passwords. For more information, see Backup protection settings.
  2. To upload Safeguard Backup File (.sgb), go to Safeguard Backup and Restore:
    • web client: Navigate to  Settings | Backup and Retention | Safeguard Backup and Restore.
    • desktop client: Navigate to Administrative Tools | Settings | Backup and Retention | Safeguard Backup and Restore.
  3. Click  Upload.
  4. Browse to select the backup file and click Open. The Uploading backup file progress bar displays. When complete, the file is uploaded and is now available to be restored. For more information, see Restore a backup.

Restore a backup

Safeguard for Privileged Passwords allows you to restore the data on your appliance with data from a selected backup. Safeguard for Privileged Passwords does not restore the appliance IP address, NTP settings, or the DNS settings.

To verify that the settings are correct after a restore, go to:

  • web client: Navigate to  Settings | Appliance | Appliance Information.

  • desktop client: Navigate to Administrative Tools | Settings | Appliance | Appliance Information.

There are special considerations for restoring a clustered appliance. For more information, see Using a backup to restore a clustered appliance.

Caution: If you restore a backup that is older than the Maximum Password Age set in the Local Login Control settings, all user accounts (including the bootstrap administrator) will be disabled and you will have to reset all of the user account passwords or SSH keys. If your bootstrap administrator's password is locked out, you can reset it from the Recovery Kiosk. For more information, see Admin password reset.

Version considerations when restoring a backup

An Appliance Administrator can restore backups as far back as Safeguard for Privileged Passwords version 2.2.0.6958. Only the data is restored; the running version is not changed.

If the administrator attempts to restore a version earlier than 2.2.0.6958, a message like the following displays: Restore failed because the backup version '[version]' is older than the minimum supported version '2.2.0.6958' for restore.

You cannot restore a backup from a version newer than the one running on the appliance. The restore will fail and a message like the following displays: Restore failed because backup version [version] is newer then the one currently running [version].

The backup version and the running version display in the Activity Center logs that are generated when Safeguard starts, completes, or fails a restore.

To restore the Safeguard for Privileged Passwords appliance from a backup

  1. Go to Safeguard Backup and Restore:
    • web client: Navigate to  Settings | Backup and Retention | Safeguard Backup and Restore.
    • desktop client: Administrative Tools | Settings | Backup and Retention | Safeguard Backup and Restore.
  2. Select a backup. If the backup file is not listed, you can  Upload the .sgb backup file. For more information, see Upload a backup.
  3. Click Restore.
    If a problematic condition is detected, Warning for Restore of Backup displays along with details in the Restore Warnings, Warning X of X message. Click Cancel to stop the restore process and address the warning or click Continue to move to the next warning (if any) or complete the process.
  4. If the backup is protected by a password, the Protected Backup Password dialog displays. Type the password in the Enter Backup Password text box. If the password entered is not correct, the OK button is disabled and you cannot proceed. For more information, see Backup protection settings.
  5. When the Restore dialog displays, enter the word Restore in the box and click OK.

    Safeguard for Privileged Passwords automatically restarts the appliance, if necessary.

  6. After restoring from backup verify that the following are set correctly.

    • Check the archive server in the automated backup schedule. If necessary, set the correct archive server. For more information, see Archive backup.
    • Check the archive server in the session archive settings. If necessary, set the correct archive server. If you used the embedded sessions module and had an archive server configured, the archive server must be configured to play back the archived sessions.

    • If you restored a backup to a different appliance, managed networks will no longer have any assigned appliances. Password and SSH key management and discovery tasks will fail. For more information, see Managed Networks.
  7. Once the appliance is fully operational, it asks you to restart the Windows desktop client. All modifications to Safeguard for Privileged Passwords objects since the backup was created will be lost.

Caution: After a restore, requesters, approvers, and reviewers will not have access to any access request workflow events that were in process at the time of the backup. The Activity Center displays those workflow events as incomplete.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating