Chat now with support
Chat with Support

One Identity Safeguard for Privileged Passwords 7.4.1 - Appliance Setup Guide

Setting up the hardware appliance

CAUTION: To maximize security, restrict the access to MGMT interface to as few users as possible. The Management web kiosk gives access to functions without authentication, such as pulling a support bundle or rebooting the appliance.

Follow these steps to set up and configure the One Identity Safeguard for Privileged Passwords Appliance.

Step 1: Before you start

For the 3000 and 2000 appliances, ensure that you install the Microsoft .NET Framework 4.6 (or later) on your management host. 4000 appliances do not have this requirement since they ship with the 7.0 version of SPP.

Check the One Identity Support site and install the latest version of the SPP software.

Step 2: Prepare for installation

Gather the following items before you start the appliance installation process:

  • Laptop
  • IP address
  • IP subnet mask
  • IP gateway
  • DNS server address
  • NTP server address
  • One Identity Safeguard for Privileged Passwords license

    If you purchased One Identity Safeguard for Privileged Passwords, the appropriate license files should have been sent to you via email. If you have not received an email or need it to be resent, visit https://support.oneidentity.com/contact-us/licensing. If you need to request a trial key, please send a request to sales@oneidentity.com or call +1-800-306-9329.

Step 3: Rack the appliance

Prior to installing the racks for housing the appliance, refer to the Warnings and precautions appendix in the One Identity Safeguard Appliance Setup Guide.

Prior to installing the racks for housing the appliance, see Warnings and precautions.

Step 4: Power on the appliance

Prior to powering up the appliance, see the Standardized warning statements for AC systems appendix in the One Identity Safeguard Appliance Setup Guide.

Prior to powering up the appliance, see Standardized warning statements for AC systems.

The One Identity Safeguard for Privileged Passwords Appliance includes dual power supplies for redundant AC power and added reliability.

  1. Plug the power cords to the power supply sockets on the appliance back and then connect the cords to AC outlets.

    TIP: As a best practice, connect the two power cords to outlets on different circuits. One Identity recommends using an UPS on all appliances.

  2. Press the Green check mark button on the front panel of the appliance for NO MORE THAN one second to power on the appliance.

    Caution: Once the SPP Appliance is booted, DO NOT press and hold the Green check mark button. Holding this button for four or more seconds will cold reset the power of the appliance and may result in damage.

    You can use the Red X button to shut down the appliance. Once the SPP Appliance is booted, press and hold the Red X button for four seconds until it displays POWER OFF.

    NOTE: If the SPP Appliance is not yet booted, it may be necessary to press the Red X button for up to 13 seconds.

    Caution: Once the SPP Appliance is booted, DO NOT press and hold the Red X button for more than 13 seconds. This will hard power off the appliance and may result in damage.

Step 5: Connect the management host to the appliance

The port used for a secure first-time configuration of the appliance is MGMT. This IP address is a fixed address that cannot be changed. It will always be available in case the primary interface becomes unavailable. The MGMT IP address is: 192.168.1.105.

The primary interface that connects your appliance to the network is X0. You must change the primary interface IP to match your network configuration. The default X0 IP is: 192.168.0.105.

The appliance can take up to five minutes to boot up. In addition, ping replies have been disabled on the appliance, so you will not be able to ping this secure appliance.

  1. Connect an Ethernet cable from the laptop to the MGMT port on the back of the appliance.
  2. Set the IP address of the laptop to 192.168.1.100, the subnet mask to 255.255.255.0, and no default gateway.

Step 6: Log in to SPP
  1. Open a browser on the laptop and connect to the IP address of the MGMT port https://192.168.1.105.

    If you have problems accessing the configuration interface, check your browser Security Settings or try using an alternate browser.

  2. Accept the certificate and continue. This is only safe when using an Ethernet cable connected directly to the appliance.

  3. Log in to the SPP web client using the Bootstrap Administrator account:
    • User name: admin
    • Password: Admin123

    The Bootstrap Administrator is a built-in account that allows you to get the appliance set up for first-time use. To keep your SPP Appliance secure, change the default password for the Bootstrap Administrator’s account. For more information, see Completing the appliance setup.

  4. Configure the primary network interface (X0):
    • On the Appliance Configuration page, configure the following. Click the  Edit icon to modify these settings.
      • Time: Enable NTP and set the primary NTP server; if desired, set the secondary NTP server, as well. Click Save. By default, the NTP server is set to pool.ntp.org.

      • Network (X0):
        • Enter the appliance's IPv4 and/or IPv6 address information (IP address, Subnet Mask, Gateway). Directory or network scans are supported for IPv4 but not IPv6.
        • Enter the DNS server address.

        • Optional, enter the DNS suffixes.
        • Click Save.

    NOTE: Starting with SPP 6.9, the Network Interface (X1) can be used to add additional virtual network adapters associated with the X1 ethernet port to enable VLAN support.

  5. Log in to the web client to complete the next steps. For more information, see Completing the appliance setup.
Step 7: Connect the appliance to the network

Connect an Ethernet cable from your primary interface (X0) on the appliance to your network.

Step 8. After clustering, change the trusted servers, CORS, and redirects setting

As a best practice, after you have created your Safeguard for Privileged Passwords cluster (or if just using a single VM), change the Trusted Servers, CORS and Redirects setting to the empty string or a list of values to integration applications you wish to allow. For more details, see the Safeguard for Privileged Passwords Administration Guide, Trusted Servers, CORS and Redirects.

Lights Out Management (BMC)

The Lights Out Management feature allows you to remotely manage the power state and serial console to Safeguard for Privileged Passwords using the baseboard management controller (BMC). When a LAN interface is configured, this allows the Appliance Administrator to power on an appliance remotely or to interact with the Recovery Kiosk.

The Appliance Administrator can enable and configure the Lights Out Management feature. When Lights Out Management is enabled, the Appliance Administrator can set or change the password and modify the network information for the baseboard management console (BMC). When disabled, SPP immediately resets the password to a random value and resets the network settings to default values.

Lights Out Management is only available using hardware (not a virtual machine):

LAN interface required

This feature requires a LAN interface to be enabled and configured. One Identity Safeguard for Privileged Passwords's BMC supports the following LAN interfaces to provide this functionality:

  • SSH
  • IPMI v2
  • Web
  • Serial over Lan

It is strongly recommended that the LAN interface only be enabled in trusted environments.

To enable Lights Out Management

A static IP address will need to be assigned and a network cable will need to be connected to the IPMI ethernet port on the back of the appliance. This is in addition to the standard X0 network interface.

  1. Navigate to Lights Out Management (BMC).
  2. Click the Enable Lights Out Management toggle to enable or disable this feature. Set toggle on or toggle off.
  3. Once enabled, enter the following information about the BMC:
    1. IP address: The IPv4 address of the host machine.
    2. Netmask: The network mask IPv4 address.
    3. Default Gateway: The default gateway IPv4 address.
  4. Use Set BMC Admin Password to set the password for the host machine.

    Maximum password length: 20 characters.

    NOTE: If this feature was previously enabled, you will see an Update BMC Admin Password button instead. Optionally, click the Update BMC Admin Password button to reset the password for the host machine.

  5. Click OK to save the settings on the host machine.

Accessing the BMC

Once Lights Out Management is enabled in SPP, you can access the BMC via:

  • SSH to connect to the IPMI port to remotely manage the power state and serial console to SPP
  • Web browser

SSH connection

The SPP Kiosk Console can be accessed via Putty, Linux command line, or your preferred SSH Client.

  1. Connect to the IP assigned to the IPMI interface and login with the Admin user. (Default credentials are ADMIN/admin)
  2. At the prompt run: start /system1/sol1. There may be a delay. Please wait for the connection. A message like the following gives you the instructions to proceed:
    ->start /system1/sol1
    press <Enter>, <Esc>, and then <T> to terminate session
    (press the keys in sequence, one after the other)

  3. On the menu shown below, navigate using the arrow keys. Press the right arrow to select a menu option, press the left arrow to return to the menu list, press up or down to select a different menu option.

    Appliance Information >

    Power Options >

    Backups >

    Admin Password Reset >

    Factory Reset >

    Support Bundle >

  4. If the screen freezes, or displays distorted information, you can press CTRL+R or CTRL+D to refresh the screen.

  5. To exit the Kiosk press Enter, then press ESC, then press SHIFT+T. At the prompt, type in exit.

If the appliance is in Quarantine, please generate a Quarantine Bundle from the Kiosk menu and copy the file to a network share. After the bundle is retrieved, perform a Reboot via the Kiosk, to see if the appliance will recover on its own. If it remains in Quarantine, a Factory Reset will likely be necessary. For more information, see Performing a factory reset..

Web browser interface

If you experience difficulty logging in through SSH, web access is also available.

  1. In your browser, go to the IP address of your IPMI interface. (that is, https://10.10.10.10), and login with your BMC admin account. The default is ADMIN/admin.
  2. You can attempt to fix the SSH connection, by navigating to Maintenance > Unit Reset > Select Reset. After 60 seconds re-attempt the SSH connection.
  3. Login to the Kiosk via the web by navigating to Remote Control > Select Launch SOL. (Java is required for this method, the Kiosk will launch in a JNLP window.)
  4. Use the cursor keys and return to navigate. Page Up is used for backspace. It is not possible to copy and paste when using the Java viewer.

Rebooting

A reboot from the BMC web browser interface is only a hardware level reboot.

If you need to reboot using the web browser interface:

  1. Log into the BMC web browser interface.
  2. Open the Serial over Lan emulator, which opens the Kiosk interface.
  3. Select reboot from the menu.

See KB 263835: How to remotely access the Kiosk via the Lights Out Management / BMC / IPMI interface.

Warnings and precautions

The following precautions must be taken for proper installation.

Rack precautions
  • Ensure that the leveling jacks on the bottom of the rack are fully extended to the floor with the full weight of the rack resting on them.
  • In a single-rack assembly, stabilizers should be attached to the rack. In a multi-rack assembly, the racks should be coupled together.
  • Always ensure the rack is stable before extending a component from the rack.
  • Extend only one component at a time; extending two or more components simultaneously may cause the rack to become unstable.
Component precautions
  • Review the electrical and general safety precautions. For more information, see Standardized warning statements for AC systems..
  • Determine the placement of each component in the rack BEFORE you install the rails.
  • Install the heaviest components on the bottom of the rack first, and then work up.
  • Use a regulating uninterruptible power supply (UPS) to protect the component from power surges, voltage spikes, and to keep your system operating in case of a power failure.
  • Allow the hot plug SATA drives and power supply modules to cool before touching them.
  • Always keep the rack's front door and all panels and components on the appliance closed when not servicing to maintain proper cooling.
Appliance and mounting considerations

The following conditions are required for proper installation.

Ambient operating temperature

If installed in a closed or multi-rack assembly, the ambient operating temperature of the rack environment may be greater than the ambient temperature of the room. Therefore, consideration should be given to installing the equipment in an environment compatible with the manufacturer's maximum rated ambient temperature (Tmra).

Reduced airflow

Mount the equipment into the rack so that the amount of airflow required for safe operation is not compromised.

Mechanical loading

Mount the appliances evenly in the rack in order to prevent a hazardous condition due to uneven mechanical loading.

Circuit overloading

Consideration must be given to the connection of the equipment to the power supply circuit. Appropriate consideration of equipment nameplate ratings must be used when addressing this concern. Do not overload the circuit.

Reliable ground

Reliable grounding of rack-mounted equipment must be maintained at all times. To ensure this, the rack itself should be grounded. Particular attention must be given to power supply connections other than the direct connections to the branch circuit, such as power strips.

Standardized warning statements for AC systems

The following statements are industry-standard warnings, provided to warn the user of situations that have the potential for bodily injury. Should you have questions or experience difficulty, contact One Identity technical support for assistance. Only certified technicians should attempt to install or configure components.

Read this appendix in its entirety BEFORE installing or configuring components in the One Identity Safeguard for Privileged Passwords Appliance.

NOTE: These warning statements are also available in multiple languages on the One Identity support site:

https://support.oneidentity.com/one-identity-safeguard/2.0/technical-documents.

Warning definition

Warning: This warning symbol means danger. You are in a situation that could cause bodily injury. Before you work on any equipment, be aware of the hazards involved with electrical circuitry and be familiar with standard practices for preventing accidents.
Installation instructions

Warning: Read the installation instructions before connecting the system to the power source.
Circuit Breaker

Warning: This product relies on the building's installation for short-circuit (overcurrent) protection. Ensure that the protective device is rated not greater than 250 V, 20 A.
Power Disconnection Warning

Warning: The system must be disconnected from all sources of power and the power cord removed from the power supply module(s) before accessing the chassis interior to install or remove system components.
Equipment installation

Warning: Only trained and qualified personnel should be allowed to install, replace, or service this equipment.
Restricted area

Warning: This unit is intended for installation in restricted access areas. A restricted access area can be accessed only through the use of a special tool, lock and key, or other means of security. (This warning does not apply to workstations.)
Battery handling

Warning: There is a danger of explosion if the battery is replaced incorrectly. Replace the battery only with the same or equivalent type recommended by the manufacturer. Dispose of used batteries according to the manufacturer's instructions.
Redundant power supplies

Warning: This unit may have more than one power supply connection. All connections must be removed to de-energize the unit.
Backplane voltage

Warning: Hazardous voltage or energy is present on the backplane when the system is operating. Use caution when servicing.
Comply with local and national electrical codes

Warning: Installation of equipment must comply with local and national electrical codes.
Product disposal

Warning: Ultimate disposal of this product should be handled according to all national laws and regulations.
Hot swap fan warning

Warning: The fans may still be turning when you remove the fan assembly from the chassis. Keep fingers, screwdrivers, and other objects away from the openings in the fan assembly's housing.
Power cable and AC adapter

Warning: When installing the product, use the provided or designated connection cables, power cables, and AC adapters. Using any other cables and adapters can cause a malfunction or a fire. Electrical Appliance and Material Safety Law prohibits the use of UL or CSA-certified cables (which have UL/CSA shown on the code) for any other electrical devices than products designed by One Identity LLC only.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating