Chat now with support
Chat with Support

We are currently experiencing issues on our phone support and are working diligently to restore services. For support, please sign in and create a case or email supportadmin@quest.com for assistance

One Identity Safeguard for Privileged Passwords 7.4.1 - Administration Guide

Introduction System requirements and versions Using API and PowerShell tools Using the virtual appliance and web management console Cloud deployment considerations Setting up Safeguard for Privileged Passwords for the first time Using the web client Home page Privileged access requests Appliance Management
Appliance Backup and Retention Certificates Cluster Global Services External Integration Real-Time Reports Safeguard Access Appliance Management Settings
Asset Management
Account Automation Accounts Assets Partitions Discovery Profiles Tags Registered Connectors Custom platforms Importing objects
Security Policy Management
Access Request Activity Account Groups Application to Application Cloud Assistant Asset Groups Entitlements Linked Accounts User Groups Security Policy Settings
User Management Reports Disaster recovery and clusters Administrator permissions Preparing systems for management Troubleshooting Frequently asked questions Appendix A: Safeguard ports Appendix B: SPP and SPS join guidance Appendix C: Regular Expressions

Directory Account

NOTE: Only available for some types of directory accounts.

On the Connection tab, you can configure SPP to authenticate to a managed system using an account from an external identity store such as Microsoft Active Directory. In order to use this authentication type, you must first add a directory asset to SPP and add domain user accounts. Managed account users cannot be members of the Protected Users AD Security Group. For more information, see Accounts..

Table 110: Directory Account authentication type properties
Property Description
Service Account Name

Click Select Account. Choose the service account name used for management tasks. The accounts available for selection are domain user accounts that are linked to a directory that was previously added to SPP.

Service Account Password

If required, enter the password used to authenticate.

Privilege Elevation Command

If required, enter a privilege elevation command (such as sudo). This is used as a prefix for commands that require privileged access on the system and to manage accounts on Unix-based systems; that is, to check and change SSH keys and to discover accounts.

Sudo commands follow.

  • AuthorizedKeyCommand
Specify a program to look up the user's public keys
  • cat
  • chmod
  • chown
  • cp
  • echo
  • egrep
  • find
  • grep
  • host
  • ls
  • mkdir
  • mv
  • rm
  • sed
  • sshd
  • ssh-keygen
  • tee
  • test
  • touch
  • usermod

When adding an asset, this command is used to perform Test Connection. For more information, see About Test Connection..

The privilege elevation command must run non-interactively, that is, without prompting for a password. For more information, see Preparing Unix-based systems.

The limit is 255 characters.

Test Connection

Click this button to verify that SPP can log in to this asset using the service account credentials you have provided. For more information, see About Test Connection..

Service Account Profile

  • Click Edit to add the profile or Remove to delete the assigned profile. Available profiles are based on the partition selected on the General tab (asset discovery). To update the profile later, go to the service account and update the profile. For more information, see Properties (account)..
  • Use Named Pipe for service account connection

    Select to use the Named Pipe when connecting to the asset. Clear this check box to use TCP/IP when connecting to the asset.

    Use SSL Encryption

    Selected by default, this option is used to enable Safeguard to encrypt communication with this asset.

    To support SSL on Active Directory, you must upload the SSL certificate being used by the Active Directory forest. The SSL binds will need to be on port 636. For information on this process within Active Directory, see Enable LDAP over SSL with a third-party certificate authority.

    If you do not select this option for a MicrosoftSQL Server that is configured to force encryption, Test Connection will use untrusted encryption and succeed with valid credentials. For more information about how Safeguard database servers use SSL, see How do SPP database servers use SSL.

    Verify SSL Certificate

    Use this option to enable or disable SSL Certificate verification on the asset. When enabled, Safeguard for Privileged Passwords compares the signing authority of the certificate presented by the asset to the certificates in the Trusted CA Certificates store every time Safeguard for Privileged Passwords connects to the asset. Trust must be established for Safeguard for Privileged Passwords to manage the asset. For Safeguard for Privileged Passwords to verify an SSL certificate, you must add the asset's signing authority certificate to the Trusted CA Certificates store. Only clear the Verify SSL Certificate option if you do not want to establish trust with the asset.

    Privilege Level Password If required, enter the system enable password to allow access to the Cisco configuration.
    Auto Accept SSH Host Key

    Select this option to have SPP automatically accept an SSH host key. When an asset requiring an SSH host key does not have one, Check Password will fail. For more information, see Connectivity failures..

    Instance

    Specify the Instance name if you have configured multiple instances of a SQL Server on this asset. If you have configured a default (unnamed) instance of the SQL Server on the host, you need to provide the IP address and port number.

    Port

    Enter the port number to log in to the asset. This option is not available for all operating systems.

    Connection Timeout

    Enter the directory connection timeout period. Default: 20 seconds.

    Starling Connect

    On the Connection tab, you can configure SPP to authenticate to a registered connector in Starling Connect. In order to use this authentication type, you must first register a Starling Connect connector. For more information, see Registered Connectors.

    Table 111: Starling Connect authentication type properties
    Property Description
    Test Connection

    Click this button to verify that SPP can log in to this asset using the service account credentials you have provided. For more information, see About Test Connection..

    Connection Timeout

    Enter the directory connection timeout period. Default: 20 seconds.

    Local System Account

    On the Connection tab, you can configure SPP to authenticate to a managed SQL Server using a local system account and password. The local system account is a Windows user account on the server that is hosting the SQL database.

    NOTE: In order to use this authentication type, you must add both a Windows asset and a SQL Server asset to SPP.

    Table 112: Local System Account authentication type properties
    Property Description
    Test Connection

    Click this button to verify that SPP can log in to this asset using the local system account credentials you have provided. For more information, see About Test Connection..

    Use SSL Encryption

    Select this option to enable Safeguard to encrypt communication with this asset. If you do not select this option for a MicrosoftSQL Server that is configured to force encryption, Test Connection will use untrusted encryption and succeed with valid credentials. For more information about how Safeguard database servers use SSL, see How do SPP database servers use SSL..

    Verify SSL Certificate

    Use this option to enable or disable SSL Certificate verification on the asset. When enabled, Safeguard for Privileged Passwords compares the signing authority of the certificate presented by the asset to the certificates in the Trusted CA Certificates store every time Safeguard for Privileged Passwords connects to the asset. Trust must be established for Safeguard for Privileged Passwords to manage the asset. For Safeguard for Privileged Passwords to verify an SSL certificate, you must add the asset's signing authority certificate to the Trusted CA Certificates store. Only clear the Verify SSL Certificate option if you do not want to establish trust with the asset.

    Instance/Service Name

    For SQL Server platforms, specify the Instance name if you have configured multiple instances of a SQL Server on this asset. If you have configured a default (unnamed) instance of the SQL Server on the host, you need to provide the IP address and port number.

    For Oracle platforms, use the TNSNAMES naming method to identify the target system in Oracle. Depending on how the Oracle environment is configured, the Instance (also called SID in Oracle) and/or the Service Name (ServiceName) can be used to identify the target database.

    Port

    Enter the port number to log in to the asset.

    Connection Timeout

    Enter how long to wait (in seconds) for both the connect and command timeout.

    Default: 20 seconds

    Password (local service account)

    On the Connection tab, you can configure SPP to authenticate to a managed system using a local service account and password.

    NOTE: Some options are not available for all operating systems.

    Table 113: Password authentication type properties
    Property Description
    Distinguished Name

    For LDAP platforms, enter the fully qualified distinguished name (FQDN) for the service account.

    For example: cn=dev-sa,ou=people,dc=example,dc=com

    Service Account Distinguished Name

    Browse to select the service account for SPP to use for management tasks. When you add the asset, SPP automatically adds the service account to Accounts. For more information, see About service accounts..

    Required except for LDAP platforms, which use the Distinguished Name.

    Password

    Enter the service account password used to authenticate to this asset.

    Limit: 255 character

    Privilege Elevation Command

    If required, enter a privilege elevation command (such as sudo). This is used as a prefix for commands that require privileged access on the system and to manage accounts on Unix-based systems; that is, to check and change SSH keys and to discover accounts.

    Sudo commands follow.

    • AuthorizedKeyCommand
    Specify a program to look up the user's public keys
    • cat
    • chmod
    • chown
    • cp
    • echo
    • egrep
    • find
    • grep
    • host
    • ls
    • mkdir
    • mv
    • rm
    • sed
    • sshd
    • ssh-keygen
    • tee
    • test
    • touch
    • usermod

    When adding an asset, this command is used to perform Test Connection. For more information, see About Test Connection..

    The privilege elevation command must run non-interactively, that is, without prompting for a password. For more information, see Preparing Unix-based systems.

    The limit is 255 characters.

    Privilege Level Password

    Enter the Enable password to allow access to the Cisco configuration.

    Auto Accept SSH Host Key

    This check box is selected by default indicating that SPP automatically accepts an SSH host key. This option is not available for all platforms.

    Once the SSH host key is discovered, the SSH host key fingerprint is displayed.

    When an asset requiring an SSH host key does not have one, Check Password will fail. For more information, see Connectivity failures..

    Test Connection

    Click this button to verify that SPP can log in to this asset using the service account credentials you have provided. For more information, see About Test Connection..

    Service Account Password Profile

    Click Edit to add the profile or Remove to delete the assigned profile. Available profiles are based on the partition selected on the General tab (asset discovery). To update the profile later, go to the service account and update the profile. For more information, see Properties (account)..

    Service Account SSH Key Profile

    Click Edit to add the profile or Remove to delete the assigned profile. Available profiles are based on the partition selected on the General tab (asset discovery). To update the profile later, go to the service account and update the profile. For more information, see Properties (account)..

    Use SSL Encryption

    Select this option to enable Safeguard to encrypt communication with this asset. If you do not select this option for a MicrosoftSQL Server that is configured to force encryption, Test Connection will use untrusted encryption and succeed with valid credentials. For more information about how Safeguard database servers use SSL, see How do SPP database servers use SSL.

    Verify SSL Certificate

    Use this option to enable or disable SSL Certificate verification on the asset. When enabled, Safeguard for Privileged Passwords compares the signing authority of the certificate presented by the asset to the certificates in the Trusted CA Certificates store every time Safeguard for Privileged Passwords connects to the asset. Trust must be established for Safeguard for Privileged Passwords to manage the asset. For Safeguard for Privileged Passwords to verify an SSL certificate, you must add the asset's signing authority certificate to the Trusted CA Certificates store. Only clear the Verify SSL Certificate option if you do not want to establish trust with the asset.

    As Privilege

    Specify the Oracle privilege level to use when connecting with the selected Oracle service account, if required. The Oracle SYS account requires the privilege level SYSDBA or SYSOPER. For details, see the Oracle document, About Administrative Accounts and Privileges and SYSDBA and SYSOPER System Privileges.

    Instance/Service Name

    For SQL Server platforms, specify the Instance name if you have configured multiple instances of a SQL Server on this asset. If you have configured a default (unnamed) instance of the SQL Server on the host, you need to provide the IP address and port number.

    For Oracle platforms, use the TNSNAMES naming method to identify the target system in Oracle. Depending on how the Oracle environment is configured, the Instance (also called SID in Oracle) and/or the Service Name (ServiceName) can be used to identify the target database.

    Workstation ID

    Specify the configured workstation ID, if applicable. This option is for IBM i systems.

    Port

    Enter the port number on which the asset will be listening for connections.

    Default: port 22; port 1433 for SQL server; port 8443 for SonicWALL SMA or CMS appliance.

    Connection Timeout

    Enter how long to wait (in seconds) for both the connect and command timeout.

    Default: 20 seconds

    Related Documents

    The document was helpful.

    Select Rating

    I easily found the information I needed.

    Select Rating