Chat now with support
Chat with Support

One Identity Safeguard for Privileged Passwords 7.5.1 - Appliance Setup Guide

Virtual appliance backup and recovery

Use the following information to back up and recover a Safeguard for Privileged Passwords virtual appliance. Factory reset is not an option for virtual appliances. To factory reset a virtual appliance, just redeploy the appliance.

Backing up the virtual appliance

To ensure security of the hardware appliance, backups taken from a virtual appliance cannot be restored on a hardware appliance.

For more information, see Backup and Retention settings.Backup and Retention settings in the Safeguard for Privileged Passwords Administration Guide.

Recovery of the virtual appliance

A Safeguard for Privileged Passwords virtual appliance is reset by using the following recovery steps.

On-prem virtual appliance (for example, Hyper-V or VMware)

  1. Redeploy the virtual appliance and run Initial Setup. For more information, see Setting up the virtual appliance.Setting up the virtual appliance in the Safeguard for Privileged Passwords Administration Guide.
  2. Restore the backup. For more information, see Backup and Retention settings.Backup and Retention settings in the Safeguard for Privileged Passwords Administration Guide.

Cloud virtual appliance (for example, AWS or Azure)

  1. Redeploy using the deployment steps:

Completing the appliance setup

After setting up the hardware appliance or virtual appliance, complete the following steps.

Log in to the web client
  1. Log in using the Bootstrap Administrator account with the configured IPv4 or IPv6 address for the primary interface (X0). To log in with an IPv6 address, enter it in square brackets.

  2. License Safeguard for Privileged Passwords using the provided license file.

    1. In the web client, navigate to Appliance Management > Appliance > Licensing.

    2. To upload a new license file, click .

    The Software Transaction Agreement will be displayed after a new license is uploaded. In order to use Safeguard for Privileged Passwords, the agreement must be read and accepted.

  3. Define archive server configurations and assign an archive server to an appliance. To do so, navigate to Appliance Management > Backup and Retention > Archive Servers.

  4. Configure the time zone:

    1. Navigate to User Management > Settings > Time Zone.

    2. Select the time zone in the Default User Time Zone drop-down menu.

  5. Ensure that your Safeguard for Privileged Passwords Appliance has the latest software version installed. To check the version:

    1. Navigate to Appliance Management > Appliance > Appliance Information. The Appliance Version is displayed.

    2. Go to the following product support page for the latest version: https://support.oneidentity.com/one-identity-safeguard/download-new-releases.

    3. If necessary, apply a patch. Wait for maintenance to complete. If you are installing multiple patches, repeat as needed.

      1. Download the latest update from: https://support.oneidentity.com/one-identity-safeguard/.

      2. From the Safeguard for Privileged Passwords Home page, select Appliance Management > Appliance > Patch Updates.

      3. Click Upload a File and browse to select an update file.

        NOTE: When you select a file, Safeguard for Privileged Passwords uploads it to the server, but does not install it.

      4. Click Install Now to install the update file immediately.

      5. In the confirmation dialog, enter the word Install and click OK.

      6. Once you have updated Safeguard for Privileged Passwords, be sure to back up your Safeguard for Privileged Passwords Appliance.

To change the Bootstrap Administrator's password

The Bootstrap Administrator is a built-in account that allows you to get the appliance set up for first-time use. To keep your Safeguard for Privileged Passwords Appliance secure, once the license is added, change the default password for the Bootstrap Administrator’s account.

  1. In the web client, click your user name in the upper-right corner of the screen and select My Settings.

  2. Open the My Account page and click Change Password.

If this password is ever lost, you can reset it to the default of Admin123. For more information, see Admin password reset in the Safeguard for Privileged Passwords Administration Guide.

Backup Safeguard for Privileged Passwords

Immediately after your initial installation of Safeguard for Privileged Passwords, make a backup of your Safeguard for Privileged Passwords Appliance.

NOTE: The default backup schedule runs at 4:00 AM UTC, which can be modified or you can manually run a backup.

  1. From the Safeguard for Privileged Passwords Home page, open Appliance Management > Backup and Retention > Backup and Restore.

  2. Click  Run Now.

Add a user with Authorizer administrative permissions

The Authorizer Administrator is responsible for granting administrative access to One Identity Safeguard for Privileged Passwords.

  1. From the Safeguard for Privileged Passwords Home page, open User Management > Users.

  2. Click New User to create a Safeguard for Privileged Passwords user with local identity and authentication, and Authorizer permissions.

    Username Password Permissions Description
    AuthorizerAdmin Test123 Authorizer

    Allow the user to grant permissions to other users.

    NOTE: This permission allows the user to change their own permission.

    NOTE: When you choose Authorizer permissions, Safeguard for Privileged Passwords also selects User and Help Desk permissions. These additional settings cannot be cleared.

  3. Log out:

    1. In the upper-right corner of the screen, click your user name.

    2. Select Log Out.

Change the local security policy

Before One Identity Safeguard for Privileged Passwords can reset local account passwords on Windows systems, you must change the local security policy.

  1. From the Windows Start menu, open Local Security Policy.

  2. Navigate to Local Policies > Security Options.

  3. Disable User Account Control: Run all administrators in Admin Approval Mode option.

  4. Restart your computer.

Enable password authentication (applies to SPS module only)

For some systems (SUSE and some Debian systems) that use SSH, you must enable password authentication in the package generated configuration file (sshd_config).

For example, in the debian sshd_config file, enable the PasswordAuthentication yes parameter.

Cloud deployments

Safeguard for Privileged Passwords can be run from:

  • The One Identity Safeguard for Privileged Passwords 4000 Appliance, 3000 Appliance and 2000 Appliance (hardware)
  • A virtual machine
  • The cloud

This section covers the background and steps you need to deploy from the cloud for the first time.

Cloud deployment considerations

Safeguard for Privileged Passwords can be run from the cloud.

Before you start: platforms and resources

When setting up a virtual environment, carefully consider the configuration aspects such as CPU, memory availability, I/O subsystem, and network infrastructure to ensure the virtual layer has the necessary resources available. See One Identity's Product Support Policies for more information on environment virtualization.

Platforms that have been tested with the cloud deployments follow.

For these deployments, the minimum resources used in test are 4 CPUs, 10GB RAM, and a 60GB disk. Choose the appropriate machine and configuration template. For example, when you click Create in the Azure Marketplace, default profiles display. You can click Change size to choose a different template. Whereas in OCI, select a supported shape to allocate the appropriate resources for your instance.

Restricting access to the web management kiosk for cloud deployments

The web management kiosk runs on port 9337 in AWS, OCI, and Azure and is intended for diagnostics and troubleshooting by Appliance Administrators.

CAUTION: The Management web kiosk is available via HTTPS port 9337 for cloud platforms (including AWS, OCI, and Azure). The Management web kiosk gives access to functions without authentication, such as pulling a support bundle or rebooting the appliance. In AWS and OCI, all ports are denied unless explicitly allowed. To deny access to port 9337, the port should be left out of the firewall rules. If the port is used, firewall rules should allow access to targeted users.

Azure: Block port 9337

Use the following steps to block access to port 9337 in Azure.

  1. Navigate to the virtual machine running Safeguard for Privileged Passwords.
  2. In the left hand navigation menu select Networking.
  3. Click Add inbound port rule.
  4. Configure the inbound security rule as follows:

    Source: Any

    Source port ranges: *

    Destination: Any

    Destination port ranges: 9337

    Protocol: Any

    Action: Deny

    Priority: 100 (use the lowest priority for this rule)

    Name: DenyPort9337

  5. Click Add.

AWS: Block port 9337

Use the following steps to block access to port 9337 in AWS.

  1. From the EC2 Dashboard, navigate to the EC2 Instance running Safeguard for Privileged Passwords.
  2. Select the instance.
  3. In the Description tab, locate the Security groups field then click the name of the security group.
  4. Select the Inbound tab.
  5. Click Edit.
  6. Remove any existing rules and add the following rules:
    • Type: Custom UDP Rule

      Protocol: UDP

      Port Range: 655

      Source: Anywhere

      Description: Cluster VPN

    • Type: HTTPS

      Protocol: TCP

      Port range: 443

      Source: Anywhere

      Description: Web API

    • Type: Custom TCP Rule

      Protocol: TCP

      Port Range: 8649

      Source: Anywhere

      Description: SPS Cluster

  7. Click Save.

OCI: Block port 9337

Use the following steps to block access to port 9337 in OCI.

  1. Navigate to the Virtual Cloud Network assigned to the instance running Safeguard for Privileged Passwords.

  2. Navigate to the Subnet assigned to the instance.

  3. Open the Security List for the subnet.

  4. Ensure no ingress rules allow for traffic from any source (with any IP Protocol) to destination port 9337. Review the ingress rules carefully as they may apply to a range of destination ports instead of explicitly listing port 9337.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating