Chat now with support
Chat with Support

One Identity Safeguard for Privileged Passwords 8.0 LTS - Administration Guide

Introduction System requirements Using API and PowerShell tools Using the virtual appliance and web management console Cloud deployment considerations Setting up Safeguard for Privileged Passwords for the first time Using the web client Home page Privileged access requests Appliance Management
Appliance Backup and Retention Certificates Cluster Global Services External Integration Real-Time Reports Safeguard Access Appliance Management Settings
Asset Management
Account Automation Accounts Assets Partitions Discovery Profiles Tags Registered Connectors Custom platforms Importing objects
Security Policy Management
Access Request Activity Account Groups Application to Application Cloud Assistant Asset Groups Entitlements Linked Accounts User Groups Security Policy Settings
User Management Reports Vaults Disaster recovery and clusters Administrator permissions Preparing systems for management Troubleshooting Frequently asked questions Appendix A: Safeguard ports Appendix B: SPP and SPS join guidance Appendix C: Regular Expressions

Last Login report

This report shows the last time each user successfully logged in.

Global Administrators, User Administrators, Helpdesk Administrators, or System Auditors can run a Last Login report.

To export the data from a Last Login report

  1. Navigate to Reports > Access Request Reports > Last Login.

  2. (Optional) Apply any desired filters to the table.

    To set a time frame to display, use the Date Range drop-down.

    NOTE: You can set a fixed time frame, such as Older Than 24 Hours, or you can specify an exact amount of days or an exact time frame by setting Custom Days or Custom Dates, respectively.

    To filter for inactive users, select Include users who never logged in.

  3. You can then select to either export the data for all listed items or the data for a single item:

    • To export data for all items, select Export on the toolbar.

    • To export data for a single item, select an item and click View Details. From the details dialog, select Export.

  4. From the Export dialog, select to export the data as either a JSON or CSV file. For more information, see Exporting data. The time is set according to the user time zone.

  5. To generate the report file, click Export.

Vaults

In the SPP web client, expand the Vaults section in the left navigation pane. This section contains the Administered Certificates and Enterprise Password Vault features that are available to all users of SPP. The Enterprise Password Vault feature requires an additional license to activate and must be explicitly granted to users.

Administered certificates

Administered Certificates allows customers to create certificate signing requests (CSRs) for:

  • TLS/SSL certificates

  • User/Client certificates

  • Timestamping authority certificates

  • RDP connection signing certificates

  • Any other kinds of certificates

It also serves as a secure and auditable vault for storing, retrieving, and sharing existing certificates, or certificates from other sources.

NOTE: This does not turn SPP into a certificate signing authority. You still have to submit any CSRs to a third party certificate authority to have them signed. SPP however, is used to store and protect the private key.

Capabilities include:

  • Any user can create a certificate signing request or upload an existing certificate for secure storage and access it in the vault.

  • An individual user or a user group can be set as the owner of a certificate. Owners have permissions to edit and manage the certificate.

    NOTE: A certificate must always have a user as an owner. A group cannot be the sole owner.

  • Certificates expire and must be replaced with new certificates. Expired certificates are still available as part of the certificate history. You can set a reminder date to have an email sent before the expiration. If the reminder is set for 30 days before the expiration of the certificate, an email reminder will be sent out on that day. There are no other follow-up emails.

  • Certificate ownership can be transferred to another user or user group.

  • Certificate owners can share the certificate with other users or user groups, along with the option of whether to include the certificate private key and encrypt it with a password.

  • Shared with members only have permission to download the certificate, and private key if configured. They do not have permission to manage the certificate in any other way.

Certificate Signing Request

To create a new CSR

  1. Click Create Certificate Signing Request (CSR).

  2. In the Create Signing Request dialog:

    1. Certificate Authority: Select this check box if the resulting certificate is intended to be a certificate authority or not and used to sign other certificates.

    2. Subject (Distinguished Name): The subject name must be in the format of distinguished name for the certificate. For example:

      cn=common name, ou=organizational unit, o=organization.

      • To create the distinguished name based on your entries for Fully Qualified Domain Name (required), Department, Organization, City/Locality, State/County/Region, and Country, click Use Distinguished Name Creator.

    3. Subject Alternate Name (DNS): Enter one or more DNS name values, typically used by SSL/TLS certificates that represents the domain name of a web site or other resource.

    4. (Optional)Subject Alternate Names (IP Address): If you would also like to access the resource via IP address, enter one or more values herein in IPv4 or IPv6 address format.

    5. Key Usage Critical: Select this check box if key usage is critical.

    6. Key Usage: Select Key usage extensions to define what a certificate will be used for.

      • Certificate Signing

      • Digital Signature

      • Key Agreement

      • Key Encipherment

      • Non-Repudiation

    7. Extended Key Usage Critical: Select this check box if extended key usage is critical.

    8. Extended Key Usage: Select one or more extended key usages from the list based on the intended usage of the certificate.

      • Client Authentication

      • Code Signing

      • Server Authentication

      • Smart Card Login

      • Time Stamping

    9. Key Size: Select the bit length of the private key pair. The bit length determines the security level of the SSL/TLS certificate.

      • 1024

      • 2048 (default)

      • 4096

    10. Notes: Enter any additional notes you wish to keep with the CSR. These notes are only stored within SPP. They will not be included in the resulting certificate file. After the CSR is signed and redeemed, the notes will be carried forward and appear with the certificate in the SPP web client. A user can update the notes at any time.

  3. Click OK. You are prompted with the following message:

    Please save and submit the following Certificate Signing Request to a Certificate Authority (CA).

  4. Click Copy to copy CSR text to your clipboard or click Save to save the CSR to a file. When saving to a file, it will download as a .csr file, which can be submitted to your Certificate Authority for signing.

    After the CSR is created, you cannot change any values. If you need to change any values, delete the CSR and create a new one.

  5. To update the list of certificates added, in the Certificate Signing Request pane, click Refresh.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating