Chat now with support
Chat with Support

One Identity Safeguard for Privileged Passwords 6.9 - Administration Guide

Introduction System requirements and versions Using API and PowerShell tools Using the virtual appliance and web management console Cloud deployment considerations Setting up Safeguard for Privileged Passwords for the first time Using the web client Getting started with the desktop client Using the desktop client Search box Privileged access requests Toolbox Accounts Account Groups Assets Asset Groups Discovery Entitlements Partitions Settings
Access Request settings Appliance settings Asset Management settings Backup and Retention settings Certificates settings Cluster settings Enable or Disable Services settings External Integration settings Messaging settings (desktop client) Password Management settings Real-Time Reports Safeguard Access settings SSH Key Management settings
Users User Groups Disaster recovery and clusters Administrator permissions Preparing systems for management Troubleshooting Frequently asked questions Appendix A: Safeguard ports Appendix B: SPP 2.7 or later migration guidance Appendix C: SPP and SPS join guidance Appendix D: Regular Expressions About us

Password (local service account)

On the Connection tab, you can configure Safeguard for Privileged Passwords to authenticate to a managed system using a local service account and password.

NOTE: Some options are not available for all operating systems.

Table 67: Password authentication type properties
Property Description
Distinguished Name

For LDAP platforms, enter the fully qualified distinguished name (FQDN) for the service account.

For example: cn=dev-sa,ou=people,dc=example,dc=com

Service Account Name

Browse to select the service account for Safeguard for Privileged Passwords to use for management tasks. When you add the asset, Safeguard for Privileged Passwords automatically adds the service account to Accounts. For more information, see About service accounts.

Required except for LDAP platforms, which use the Distinguished Name.

Service Account Password

Enter the service account password used to authenticate to this asset.

Limit: 255 character

Privilege Elevation Command

If required, enter a privilege elevation command (such as sudo). This is used as a prefix for commands that require privileged access on the system and to manage accounts on Unix-based systems; that is, to check and change SSH keys and to discover accounts.

Sudo commands follow.

  • AuthorizedKeyCommand
Specify a program to look up the user's public keys
  • cat
  • chmod
  • chown
  • chuser
  • cp
  • dscacheutil
  • dscl
  • echo
  • egrep
  • find
  • grep
  • host
  • ls
  • mkdir
  • modprpw (hpux only)
  • mv
  • psswd
  • pwdadm
  • rm
  • sed
  • sshd
  • ssh-keygen
  • tee
  • test
  • touch
  • usermod

When adding an asset, this command is used to perform Test Connection. For more information, see About Test Connection.

The privilege elevation command must run non-interactively, that is, without prompting for a password. For more information, see Preparing Unix-based systems.

The limit is 255 characters.

Privilege Level Password

Enter the Enable password to allow access to the Cisco configuration.

Auto Accept SSH Host Key

This check box is selected by default indicating that Safeguard for Privileged Passwords automatically accepts an SSH host key. This option is not available for all platforms.

Once the SSH host key is discovered, the SSH host key fingerprint is displayed.

When an asset requiring an SSH host key does not have one, Check Password will fail. For more information, see Connectivity failures.

Test Connection

Click this button to verify that Safeguard for Privileged Passwords can log in to this asset using the service account credentials you have provided. For more information, see About Test Connection.

Service Account Password Profile

Click Edit to add the profile or Remove to delete the assigned profile. Available profiles are based on the partition selected on the General tab (asset discovery). To update the profile later, go to the service account and update the profile. For more information, see General tab (account).

Service Account SSH Key Profile

Click Edit to add the profile or Remove to delete the assigned profile. Available profiles are based on the partition selected on the General tab (asset discovery). To update the profile later, go to the service account and update the profile. For more information, see General tab (account).

Use SSL Encryption

Select this option to enable Safeguard to encrypt communication with this asset. If you do not select this option for a MicrosoftSQL Server that is configured to force encryption, Test Connection will use untrusted encryption and succeed with valid credentials. For more information about how Safeguard database servers use SSL, see How do Safeguard for Privileged Passwords database servers use SSL

Verify SSL Certificate

Use this option to enable or disable SSL Certificate verification on the asset. When enabled, Safeguard for Privileged Passwords compares the signing authority of the certificate presented by the asset to the certificates in the Trusted CA Certificates store every time Safeguard for Privileged Passwords connects to the asset. Trust must be established for Safeguard for Privileged Passwords to manage the asset. For Safeguard for Privileged Passwords to verify an SSL certificate, you must add the asset's signing authority certificate to the Trusted CA Certificates store. Only clear the Verify SSL Certificate option if you do not want to establish trust with the asset’s

As Privilege

Specify the Oracle privilege level to use when connecting with the selected Oracle service account, if required. The Oracle SYS account requires the privilege level SYSDBA or SYSOPER. For details, see the Oracle document, About Administrative Accounts and Privileges and SYSDBA and SYSOPER System Privileges.

Instance (Service Name)

Specify the Instance name if you have configured multiple instances of a SQL Server on this asset. If you have configured a default (unnamed) instance of the SQL Server on the host, you need to provide the IP address and port number.

Specify the Service Name if you are configuring an Oracle asset.

Workstation ID

Specify the configured workstation ID, if applicable. This option is for IBM i systems.

Port

Enter the port number on which the asset will be listening for connections.

Default: port 22; port 1433 for SQL server; port 8443 for SonicWALL SMA or CMS appliance.

Connection Timeout

Enter the connection timeout period.

Default: 20 seconds

(Custom platform operation

such as Check System Properties)

If there is a custom parameter in the custom platform script, enter the custom parameter here. The list of system parameters are here: Writing a custom platform script. Any parameter not in the list is a custom parameter.

Access Key

On the Connection tab, you can configure Safeguard for Privileged Passwords to authenticate to a managed system using an access key.

Table 68: Access Key authentication type properties
Property Description
Service Account

Enter an account for Safeguard for Privileged Passwords to use for management tasks. For more information, see About service accounts.

Access Key ID

Enter the unique identifier that is associated with the secret key. The access key ID and secret key are used together to sign programmatic AWS requests cryptographically.

Limit: 32 alphanumeric characters

Secret Key

Enter a secret access key used to cryptographically sign programmatic Amazon Web Services (AWS) requests.

Limit: 40 alphanumeric characters; the + and the / characters are also allowed.

Test Connection

Click this button to verify that Safeguard for Privileged Passwords can log in to this asset using the service account credentials you have provided. For more information, see About Test Connection.

Port

Enter the port number to log in to the asset.

Connection Timeout

Enter the connection timeout period.

Default: 20 seconds

None

When the asset's Authentication Type on the Connection tab is set to None, Safeguard for Privileged Passwords does not manage any accounts associated with the asset and does not store asset related credentials.

All assets must have a service account in order to check and change the passwords for the accounts associated with the asset.

Select the Auto Accept SSH Host Key to have Safeguard for Privileged Passwords automatically accept the SSH host key when it creates the archive server. For more information, see Adding an archive server.

Attributes tab (add asset)

The Attributes tab is used to add attributes to directory assets, including Active Directory and LDAP. For more information, see Adding identity and authentication providers.

IMPORTANT: Some Active Directory attributes are fixed and cannot be changed.

Table 69: Active Directory and LDAP: Attributes tab
Safeguard for Privileged Passwords Attribute Directory Attribute
Users
Object Class

Default: user for Active Directory, inetOrgPerson for LDAP

Click Browse to select a class definition that defines the valid attributes for the user object class.

User Name

sAMAccountName for Active Directory, cn for LDAP

Password

userPassword for LDAP

Description

description

MemberOf

Blank by default, this attribute can be set to a directory schema attribute that contains the list of directory groups of which the user is a member.

Alternate Login Name

userPrincipalName

NOTE:

By default the Alternate Login Name attribute for directories is set to userPrincipalName, however another directory attribute containing a UPN type account name can be used.

This attribute can be used in conjunction with the API's UseAltLoginName setting (disabled by default) which will instead use the Alternate Login Name as the account name. The API is PUT https://<host>/service/core/v3/AccessPolicies/{id} where the {id} is the id of the accessPolicy where you'll set the UseAltLoginName to true. UseAltLoginName is a boolean field on the asset data object.

Groups
Object Class

Default: group for Active Directory, groupOfNames for LDAP

Click Browse to select a class definition that defines the valid attributes for the computer object class.

Name

sAMAccountName for Active Directory, cn for LDAP

Member

member

Computer Attributes  

Object Class

Default: computer for Active Directory, ipHost for LDAP

Click Browse to select a class definition that defines the valid attributes for the computer object class.

Name

cn

Network Address

dNSHostName for Active Directory, ipHostNumber for LDAP

Operating System

operatingSystem for Active Directory

Operating System Version

operatingSystemVersion for Active Directory

Description

description

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating