Chat now with support
Chat with Support

We are currently experiencing issues on our phone support and are working diligently to restore services. For support, please sign in and create a case or email supportadmin@quest.com for assistance

One Identity Safeguard for Privileged Passwords 7.4.1 - Administration Guide

Introduction System requirements and versions Using API and PowerShell tools Using the virtual appliance and web management console Cloud deployment considerations Setting up Safeguard for Privileged Passwords for the first time Using the web client Home page Privileged access requests Appliance Management
Appliance Backup and Retention Certificates Cluster Global Services External Integration Real-Time Reports Safeguard Access Appliance Management Settings
Asset Management
Account Automation Accounts Assets Partitions Discovery Profiles Tags Registered Connectors Custom platforms Importing objects
Security Policy Management
Access Request Activity Account Groups Application to Application Cloud Assistant Asset Groups Entitlements Linked Accounts User Groups Security Policy Settings
User Management Reports Disaster recovery and clusters Administrator permissions Preparing systems for management Troubleshooting Frequently asked questions Appendix A: Safeguard ports Appendix B: SPP and SPS join guidance Appendix C: Regular Expressions

Backup protection settings

For maximum protection, set backup encryption on an appliance or on a primary appliance for cluster-wide protection. You may encrypt a Safeguard Backup File (.sgb) with one of the following methods:

  • Standard (default): No password or GPG key is required.
  • Password: You can enter any password value. You must have the password to restore the backup.

    CAUTION: Make sure to save the password in a safe vault. There is no way to recover the password needed to restore the backup.

  • GNU Privacy Guard (GPG) public key (RSA only): You can upload a .txt file with the public key and meta data or copy and paste the public key and meta data to SPP. A backup file created with a GPG public key is encrypted when it is downloaded or archived. Only the private key holder can decrypt the backup file prior to the file being uploaded and restored. Once the private key holder decrypts the backup, the backup is the same as a backup generated when only appliance protection was selected.

    CAUTION: Make sure to save the GPG private key in a safe vault. There is no way to unencrypt the GPG protected file without the private key.

Once set, future backups created manually or automatically are protected.

SPP detects all attempted uploads of an invalid backup. If a backup is GNU Privacy Guard (GPG) encrypted, a message like the following displays: The uploaded file could not be validated as a genuine Safeguard backup image. It has been blocked from the appliance. An audit event is created for the failed backup load with the error reasons which include an invalid signature.

For details, see:

To configure backup protection

  1. If you will use GPG key protection, generate your public key file and create a .txt file to be uploaded or copy and pasted.
  2. Go to Backup and Restore:
    • web client: Navigate to Backup and Retention > Backup and Restore. Then, click Settings.
  3. From the Backup Settings dialog, select the type of backup protection for the appliance. The settings on a primary appliance are replicated to the cluster. The settings are read-only on each cluster node.
    • Appliance Protection Only: This is the default and includes no password or GPG Key protection of the backup. The backup is only encrypted as a Safeguard genuine backup.
    • Add Password Protection: Once selected, enter the password in the Backup Password text box. If a password already exists, a static number of dots display. You can type in a new password in place of the existing password and then confirm the password. The password you type in is used for backups made from the time the password is set until it is changed. Make sure to keep the password information in a safe vault.
    • Add GPG Key Protection: Once selected, do one of the following:
      • Click Browse to upload the public key file from a .txt file you created earlier.
      • Paste the public key information generated earlier into the text box.

      When you navigate back to this dialog, you will see the name, fingerprint, and the detail to identify the public key file.

      The GPG public key you submit is used for backups generated from the time protection is set until it is changed. Once a backup is generated while GPG is set, it will always be downloaded or archived with the GPG public key encryption, regardless of any settings changed on the appliance after it is generated. The GPG public key encryption stays with the backup metadata. In addition, if you upload the backup to another appliance, downloading the backup again will encrypt it with the same GPG public key originally provided.

  4. Click OK.

Backup Retention

It is the responsibility of the Appliance Administrator to configure the maximum number of backup files you want SPP to store on the appliance.

To configure the appliance backup retention settings

  1. Go to Backup Retention:
    • web client: Navigate to Backup and Retention > Backup Retention.
  2. Enter the maximum number of backup files you want to store on the appliance. You can enter 0 to 40 for the number of backup files that will be stored on the appliance. Then click Save.

Once SPP saves the maximum number of backup files, next time it performs a backup, it deletes the backup file with the oldest date.

Authorize VM Compatible Backups

The SPP web client allows you to generate a backup on a hardware appliance which can then be uploaded and restored on a Safeguard virtual machine.

IMPORTANT: Due to the potential security risk with migrating from a hardware appliance to a virtual machine, the Appliance Administrator making the request is required to contact One Identity Support as part of this process before they will be able to complete enabling this feature. This approval is indicated by the Not Authorized/Authorized indicator at the top of the Authorize VM Compatible Backups page.

IMPORTANT: You cannot upload a backup to a hardware appliance which was previously downloaded from hardware as VM compatible. Such a backup can only be uploaded to a Safeguard virtual machine.

IMPORTANT: This feature is not available on a replica within a cluster.

To authorize generating a hardware appliance backup for use on a virtual machine

  1. Navigate to Backup and Retention > Authorize VM Compatible Backups.
  2. In the Challenge Request User Identifier field, enter the name of the user requesting permission for the backup to be generated.

  3. Click Generate Request.

    NOTE: Only one challenge request can be active at a time. If there is a pending challenge request already active, you can cancel the active request by selecting the Invalidate Existing Challenge Request check box before generating a new request.

  4. A Challenge Request text box will appear. This text box contains the information needed by One Identity to confirm the VM compatible backup authorization request is valid. Use one of the following options to copy the information:

    • Copy Request: This copies the challenge request to your clipboard.

    • Download Request: This downloads the challenge request to a text file.

  5. Contact One Identity Support regarding your request to authorize the download of VM compatible backups from a hardware appliance. When requested, send the copied or downloaded challenge request to One Identity Support.

  6. Once One Identity Support has confirmed the request, a challenge response will be sent back. This text needs to be copy/pasted or uploaded (using the Browse button) to the Challenge Response text box.

  7. Click Verify Response to confirm the request as been approved.

    Once confirmed, an Authorized indicator will be displayed at the top of the Authorize VM Compatible Backups page. The Download VM Compatible option will now be available through the button on the Backup and Restore page on hardware appliances. In order to download a VM compatible backup it must have been created with password or GPG public key protection settings.

    You can use the Remove Authorization button to disable this feature. To reenable a new Challenge Request must be sent to One Identity Support.

Certificates

Use the Certificate settings to manage the certificates used to secure One Identity Safeguard for Privileged Passwords. The panes on this page display default certificates that can be replaced or user-supplied certificates that have been added to SPP.

It is the responsibility of the Appliance Administrator to manage the Certificate Signing Requests (CSRs) used by SPP.

Go to Certificates:

  • web client: Navigate to Certificates.
Table 23: Certificates settings
Setting Description

Audit Log Signing Certificate

Where you manage the audit log signing certificate used to validate audit logs stored on an archive server. When the audit log is exported, the log is signed with this certificate to ensure that it is legitimate and has not been tampered with after export.

Certificate Signing Request

Where you can view and manage certificate signing requests (CSRs) that have been issued by SPP. CSRs that may be created in SPP include: Audit Log Signing Certificate, SMTP Client Certificate, SSL Certificates, or Syslog Client Certificates.

Hardware Security Module Certificates

Where you manage client and server Hardware Security Module certificates. These certificates are used for connecting to Hardware Security Module devices.

SMTP Certificate

Where you manage SMTP client certificates.

SSL/TLS Certificates Where you manage SSL/TLS certificates, including installing certificates or creating CSRs to enroll a public SSL/TLS certificate. This certificate is used to secure all HTTP traffic.

Syslog Client Certificate

Where you manage the syslog client certificate used to secure traffic between SPP and the syslog server.

Trusted CA Certificates Where you add and manage certificates trusted by SPPand used to verify the chain of trust on certificates for various usages. For example , a trusted certificate may be your company's root Certificate Authority (CA) certificate or an intermediate certificate .
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating