Chat now with support
Chat with Support

We are currently experiencing issues on our phone support and are working diligently to restore services. For support, please sign in and create a case or email for assistance

One Identity Safeguard for Privileged Passwords 7.4.1 - Administration Guide

Introduction System requirements and versions Using API and PowerShell tools Using the virtual appliance and web management console Cloud deployment considerations Setting up Safeguard for Privileged Passwords for the first time Using the web client Home page Privileged access requests Appliance Management
Appliance Backup and Retention Certificates Cluster Global Services External Integration Real-Time Reports Safeguard Access Appliance Management Settings
Asset Management
Account Automation Accounts Assets Partitions Discovery Profiles Tags Registered Connectors Custom platforms Importing objects
Security Policy Management
Access Request Activity Account Groups Application to Application Cloud Assistant Asset Groups Entitlements Linked Accounts User Groups Security Policy Settings
User Management Reports Disaster recovery and clusters Administrator permissions Preparing systems for management Troubleshooting Frequently asked questions Appendix A: Safeguard ports Appendix B: SPP and SPS join guidance Appendix C: Regular Expressions

Adding a trusted certificate

Prior to adding an asset that uses SSL server certificate validation, add the certificate's root CA and any intermediate CAs to the Trusted Certificates store in SPP. For more information, see Verify SSL Certificate.

You may need to add the syslog server certificate if it is signed by the same CA.

If a certificate upload fails, the audit log reflects: TrustedCertificateUploadFailed or ServerCertificateUploadFailed.

To add a trusted certificate

  1. Go to the following:
    • web client: Navigate to Certificates > Trusted CA Certificates.
  2. Click  Upload New Trusted CA Certificate from the details toolbar.

  3. Browse and select the certificate file then click Open.
  4. On the dialog box, enter the case sensitive passphrase to import the certificate. If the certificate does not have a private key passphrase, leave the field empty and click OK.

Removing a trusted certificate

To remove certificates from the appliance

  1. Go to the following:
    • web client: Navigate to Certificates > Trusted CA Certificates.
  2. Select a certificate.
  3. Click  Delete Trusted CA Certificate from the details toolbar.

    IMPORTANT: SPP does not allow you to remove built-in certificate authorities.


Use the Cluster settings to create a clustered environment, to monitor the health of the cluster and its members, and to define managed networks for high availability and load distribution.

It is the responsibility of the Appliance Administrator or the Operations Administrator to create a cluster, monitor the status of the cluster, and define managed networks.

Before creating a SPP cluster, become familiar with the Disaster recovery and clusters chapter to understand:

  • Go to the following:
    • web client: Navigate to Cluster.
    Table 37: Cluster settings
    Setting Description

    Cluster Management

    Where you create and manage a cluster and monitor the health of the cluster and its members.

    Managed Networks

    Where you define managed networks to distribute the task load for the clustered environment.

    Offline Workflow (automatic)

    Where you configure Offline Workflow Mode to automatically trigger if an appliance has lost consensus (quorum) and, optionally, automatically resume online workflow. You can also manually Enable Offline Workflow and Resume Online Operations from this dialog. For more information, see About Offline Workflow Mode..

    Session Appliances with Safeguard for Privileged Sessions link

    Where you view, edit, and delete link connections when a Safeguard for Privileged Sessions cluster is linked to a Safeguard for Privileged Password for session recording and auditing. For more information, see SPP and Safeguard for Privileged Sessions appliance link guidance..

  • Cluster Management

    Cluster Management allows you to create and diagnosis clusters.

    When using Cluster Management from the web client, performing operations against other members of the cluster will incur a Cross-Origin Resource Sharing (CORS) HTTP request. This may require you to change the Trusted Servers, CORS, and Redirects setting to allow the specific host name being used in your web browser.

  • Navigate to Cluster > Cluster Management.

    Cluster Management grid

    • Health indicators: Health indicators display in the first column in the Cluster Management grid. Cluster members periodically query other appliances in the cluster to obtain their health information. Cluster member information and health information is cached in memory, with the most recent results displayed.

      The health indicators on the nodes indicate if cluster members are in any of these states:

      error: Indicates a definite problem impacting the functionality of the cluster

      warning: Indicates a potential issue with the cluster

      locked: Indicates the cluster is locked

      (green) healthy state.

      Expand the View More section to see more details.

    • Name: The name of the appliance.
    • Network Address: The IPv4 address (or IPv6 address) of the appliance configuration interface. You can modify the appliance IP address. For more information, see How do I modify the appliance configuration settings..
    • Primary: Displays Yes if the appliance is the primary.
    • Appliance State: Indicates the appliance state. For a list of available states, see Appliance states.

    When you select an appliance, the details for the appliance display on the right. The grid information displays: name, network address, primary, and state. This additional information is available:

    • Disk Space: The amount of used and free disk space.
    • Version: The appliance version number.
    • Last Health Check: Last date and time the selected appliance's information was obtained.
    • Uptime: The amount of time (days, hours, and minutes) the appliance has been running.
    • If the replica is selected, this additional information displays for the Primary:
      • Network Address: The network DNS name or the IP address of the primary appliance in the cluster
      • MAC Address: The media access control address (MAC address), a unique identifier assigned to the network interface for communications

      • Link Present: Displays either Yes or No to indicate if there is an open communication link

      • Link Latency: The amount of time (in milliseconds) it takes for the primary to communicate with the replica. Network latency is an expression of how much time it takes for a packet of data to get from one designated point to another. Ideally, latency is as close to zero as possible.

    • Errors and warnings are reported:
      • Errors: Errors are reported. For example, if an appliance is disconnected from the primary (no quorum), an error message may be: Request Workflow: Cluster configuration database health could not be determined.

      • Warnings: Warnings are reported. For example, if an appliance is disconnected from the primary (no quorum), a warning message may be: Policy Data: There is a problem replicating policy data. Details: Policy database slave IO is not running. The Safeguard primary may be inaccessible from this appliance.

    Toolbar actions

    Related Topics
  • Related Documents

    The document was helpful.

    Select Rating

    I easily found the information I needed.

    Select Rating