The Asset Administrator can access a previous password for an account for a specific date.
The Password Archive dialog only displays previously assigned passwords for the selected asset based on the date specified. This dialog does not display the current password for the asset. The password archive is never purged.
You view an account's password validation and reset history on the Check and Change Log tab.
To access an account's previous password
- Navigate to Asset Management > Accounts.
- Select an account and click Password Archive.
-
In the Password Archive dialog, select a date. If you select today's date (or a previous date) and no entries are returned, this indicates that the asset is still using the current password.
- In the View column, click to display the password that was assigned to the asset at that given date and time.
- In the details dialog, click Copy to copy the password to your copy buffer.
The Asset Administrator can manually check, change, or set an SSH key from the Account Security menu.
To manually check, change, or set an SSH key
- Navigate to Asset Management > Accounts.
- In Accounts, select an account from the object list.
- Click Account Security from the toolbar.
Select one of these option.
- Check SSH Key to verify the account SSH key is in sync with the Safeguard for Privileged Passwords database. If the SSH key verification fails, you can change it.
- Change SSH Key to reset and synchronize the SSH key with the Safeguard for Privileged Passwords database. For service accounts, use this selection and do not use Generate SSH Key to change the SSH key.
- Set SSH Key to set the SSH key in the Safeguard for Privileged Passwords database. The Set SSH Key option does not change the account SSH key on the asset. The Set SSH Key option provides the following options.
-
Import an SSH Key: Import a private key file for an SSH key that has been generated outside of Safeguard for Privileged Passwords and assign it to the account. Click Browse to import the key file, enter a Password, then click OK.
When importing an SSH key that has already been manually configured for an account on an asset, it is recommended that you first verify that the key has been correctly configured before importing the key. For example, you can run an SSH client program to check that the private key can be used to login to the asset: ssh -i <privatekeyfile> -l <accountname> <assetIp>. Refer to the OpenSSH server documentation for the target platform for more details on how to configure an authorized key.
NOTE:Safeguard for Privileged Passwords does not currently manage the options for an authorized key. If an imported key has any options configured in the authorized keys file on the asset, these options will not be preserved when the key is rotated by Safeguard for Privileged Passwords.
- Deploy SSH Key: If not already configured, install the account's current SSH key on the asset in the correct file for the account.
The Asset Administrator can access a previous SSH key for an account for a specific date.
The SSH Key Archive dialog only displays previously assigned SSH keys for the selected asset based on the date specified. This dialog does not display the current SSH key for the asset. The SSH key archive is never purged.
You view an account's SSH key validation and reset history on the Check and Change Log tab.
To access an account's previous SSH key
- Navigate to Asset Management > Accounts.
- Select an account name and click SSH Key Archive.
-
In the SSH Key Archive dialog, select a date. If you select today's date (or a previous date) and no entries are returned, this indicates that the asset is still using the current SSH key.
- In the View column, click to display the SSH key that was assigned to the asset at that given date and time.
- In the details dialog, click Copy to copy the SSH key to your copy buffer, or click OK to close the dialog.
A Safeguard for Privileged Passwords asset is a computer, server, network device, or application managed by a Safeguard for Privileged Passwords Appliance.
It is the responsibility of the Asset Administrator (or delegated partition owner) to add assets and accounts to Safeguard for Privileged Passwords. The Auditor has permission to access Assets. Account owners also have read permissions for the Properties and Accounts tabs for the assets associated with their account.
Before adding assets to Safeguard for Privileged Passwords, you must ensure they are properly configured. For more information, see Preparing systems for management.
Each asset can have associated accounts (user, group, and service) identified on the Accounts tab (asset). If an asset is deleted, associated accounts are deleted.
All assets must be governed by a profile (for more information, see Assigning a profile to an asset). All new assets are automatically governed by the default profile unless otherwise specified.
An asset can only be in one partition at a time (for more information, see Assigning an asset to a partition). When you add an asset to a partition, all accounts associated with that asset are automatically added to that partition.
You can identify a default partition and default profile so that when you add assets, the assets are added to the default partition and default profile. For more information, see Setting a default partition.
Asset Discovery jobs run automatically against the directories you have added. For information about configuring asset discovery in Safeguard for Privileged Passwords, see Asset Discovery job workflow.
Using a domain controller (DC) asset
You can manage tasks and services on a domain controller (DC) asset. Dependent accounts are managed on the DC asset. A DC asset will only support updating dependent passwords. Account passwords for a domain controller are managed via the directory asset.
- Create the DC asset as windows server platform, using a directory authentication for the connection service account. For more information, see Adding an asset.
- Ensure that the service account for the task/service you want to manage is defined in the Directory asset. For more information, see Adding an account to an asset.
- Add an account dependency for the service account to the DC asset. For more information, see Adding account dependencies.
Using Check Point GAiA
Passwords and SSH keys can be managed on the Check Point GAiA platform, R76 through R80.30.
In addition to managing user accounts, Safeguard for Privileged Passwords can also manage the password for the Check Point expert command. The expert password appears as a normal user account in Safeguard for Privileged Passwords except that it is marked as a privileged account. This means that it cannot be used as a service account and you cannot generate or install an SSH key for the account.
The minimum requirements for choosing a service account for Check Point follow:
- The service account for Check Point must have CLI access enabled and must have the following RBA features enabled:
- read-write user
- read-only group
- In order to manage the expert password, the service account must also have the following RBA features enabled:
- read-write expert-password-hash
- read-write expert
To manage SSH keys, the service account must have a Unix shell configured as the login shell. If the UID is not 0, then sudo privileges will be required to elevate privileges.
When adding an asset, you will select Check Point GAiA (SSH) as the Product and the Privileged Account displays expert.
Assets view
To access Assets:
- web client: Navigate to Asset Management > Assets. If needed, you can use the partition drop-down to select the parent partition of the asset. Select an asset, then click to display additional information and options.
The Assets view displays the following information about the selected system. Not all selections will be available for all assets.
- Properties tab (asset): Displays general, management and connection settings for the selected asset.
- Owners tab (asset): Displays information about the users and user groups that are owners of the asset (either assigned from this tab or from the ownership derived from a tag associated with this asset). This tab does not list partition owners that are also effective owners of this asset.
- Accounts tab (asset): Displays the accounts associated with this asset.
- Account Dependencies tab (asset): Windows only: Displays the directory accounts that the selected Windows server depends on to perform services and tasks.
- Discovered Services tab (asset): Displays the details of each discovered service associated with the selected asset.
- Discovered SSH Keys (asset): Displays the SSH keys discovered on the asset.
- History tab (asset): Displays the details of each operation that has affected the selected asset.
Toolbar
Use these toolbar buttons to manage assets:
- New Asset : Add assets to Safeguard for Privileged Passwords. For more information, see Adding an asset.
- Delete : Remove the selected asset.
When you delete an asset, you also permanently delete all the Safeguard for Privileged Passwords accounts associated with the asset.For more information, see Deleting an asset.
- View Details: Select an asset then click this button to open additional information and options for the asset.
- Access Request: Allows you to enable or disable access request services for the selected asset. Menu options include Enable Session Request and Disable Session Request.
- SSH Host Key: Menu options include:
- Test Connection: Select to verify that Safeguard for Privileged Passwords can log in to the asset using the current service account credentials. For more information, see Checking an asset's connectivity.
- Syncronize Now: Run the directory addition (incremental) synchronization process by asset and account. The sync is queued by asset by provider and runs one directory sync on that asset at a time. You can run multiple syncs in parallel on different assets. This is the faster type of directory sync because deletions are not synced. A Tasks window displays the progress and outcome of the task. You can click Details to see more information or click Stop to cancel the task. In addition, this process runs through the discovery, if there are discovery rules and configurations set up.The API (Assets/Synchronize) can be used to run the deletion (full) sync which includes all deletions, additions, and changes. This sync takes longer (perhaps hours), especially the first time it is run based on your directory setup.
- Discover Accounts: Run the associated Account Discovery job. For more information, see Account Discovery.
- Enable-Disable: Select one of the following:
Select Enable to have Safeguard for Privileged Passwords manage a disabled asset. Account Discovery jobs find all accounts that match the discovery rule's criteria regardless of whether it has been marked Enabled or Disabled in the past.
Select Disable to prevent Safeguard for Privileged Passwords from managing the selected asset. When you disable an asset, Safeguard for Privileged Passwords disables it and removes all associated accounts. If you choose to manage the asset later, Safeguard for Privileged Passwords re-enables all the associated accounts.
- Show Disabled: Display the assets that are not managed and are disabled and have no associated accounts. Asset management can be controlled by selecting an asset and selecting Enable-Disable.
- Hide Disabled: Hide the assets that are not managed and are disabled and have no associated accounts. Asset management can be controlled by selecting an asset and selecting Enable-Disable.
- Export: Use this button to export the listed data as either a JSON or CSV file. For more information, see Exporting data.
- Refresh: Update the list of assets.