Chat now with support
Chat with Support

One Identity Safeguard for Privileged Passwords 8.0 LTS - Administration Guide

Introduction System requirements Using API and PowerShell tools Using the virtual appliance and web management console Cloud deployment considerations Setting up Safeguard for Privileged Passwords for the first time Using the web client Home page Privileged access requests Appliance Management
Appliance Backup and Retention Certificates Cluster Global Services External Integration Real-Time Reports Safeguard Access Appliance Management Settings
Asset Management
Account Automation Accounts Assets Partitions Discovery Profiles Tags Registered Connectors Custom platforms Importing objects
Security Policy Management
Access Request Activity Account Groups Application to Application Cloud Assistant Asset Groups Entitlements Linked Accounts User Groups Security Policy Settings
User Management Reports Vaults Disaster recovery and clusters Administrator permissions Preparing systems for management Troubleshooting Frequently asked questions Appendix A: Safeguard ports Appendix B: SPP and SPS join guidance Appendix C: Regular Expressions

Adding an archive server

Use the Archive Servers page on the Backup and Retention settings view to configure archive servers, which can then be selected to archive a backup file or assigned to an appliance to store its session recordings.

To configure an archive server

  1. Go to archive servers settings:

    • web client: Navigate to Backup and Retention > Archive Servers.
  2. Click Add and provide the following.

  3. Enter the display Name for the archive server. Limit: 100 characters.
  4. Enter Description information about the archive server. Limit: 255 characters.
  5. For Archive Method, select a transfer protocol type:
    • CIFS: Common Internet File System
    • SCP: Secure Copy Protocol
    • SFTP: Secure File Transfer Program
  6. For Network Address, enter a network DNS name or the IP address used to connect to the server over the network. Limit: 255 characters.
  7. If you select SCP or SFTP, enter the Port used by SSH to log in to the managed system. Not applicable for CIFS archive mode.
  8. For Storage Path, enter the file path where you want to store backup files on the archive server. Limit: 255 characters.
  9. For Authentication Type, select the type of authentication to be used to access the archive server:
    • Password (default)
    • Directory Account
    • SSH Key (Available if an Archive Method of SCP or SFTP is selected.)
  10. If Directory is the Authentication Type:

    1. Account Name: Click Browse to select the service account to be used to access the archive server.
    2. If you selected the Archive Method of SCP or SFTP, you can select Auto Accept SSH Host Key to have Safeguard for Privileged Passwords automatically accept the SSH host key when it creates the archive server.
  11. If Password is the Authentication Type:
    1. For Account Name, you can do one of the following:
      • As an Appliance Administrator, if you also have Asset Administrator permission or are a Delegated Partition Owner, you can click Browse to select the service account to be used to access the archive server. If a Network Address was entered, you will see the managed accounts for the Network Address or no associated Network Address.

        Once you select an account, a Reset button is available to clear the managed account selection and Network Address is set to the selected account's network address.

      • Enter the Account Name instead of browsing for a managed account.
    2. Password: Enter the service account password.
    3. If you selected the Archive Method of SCP or SFTP, you can select Auto Accept SSH Host Key to have Safeguard for Privileged Passwords automatically accept the SSH host key when it creates the archive server.
  12. If you selected the Archive Method of SCP or SFTP and selected SSH Key as the Authentication Type, proceed with these steps.

    1. For Account Name, you can do one of the following:
      • As an Appliance Administrator, if you also have Asset Administrator permission or are a Delegated Partition Owner, you can click Browse to select the service account to be used to access the archive server. If a Network Address was entered, you will see the managed accounts for the Network Address or no associated Network Address.

        Once you select an account, a Reset button is available to clear the managed account selection and Network Address is set to the selected account's network address.

      • Enter the Account Name instead of browsing for a managed account.
    2. In SSH Key Generation and Deployment Settings, select one of the following settings:
      • Automatically generate and deploy a new SSH Key: Enter the Password. Optionally, select Auto Accept SSH Host Key to have Safeguard for Privileged Passwords automatically accept the SSH host key when it creates the archive server.
      • Automatically generate a new SSH Key that I will deploy myself: Optionally, select Auto Accept SSH Host Key to have Safeguard for Privileged Passwords automatically accept the SSH host key when it creates the archive server.
      • Import an SSH Key that I will deploy myself: Browse to select the SSH Key file.

        NOTE:Safeguard for Privileged Passwords does not currently manage the options for an authorized key. If an imported key has any options configured in the authorized keys file on the asset, these options will not be preserved when the key is rotated by Safeguard for Privileged Passwords.

        1. Click Browse. On the Import an SSH Key dialog, click Browse then select the Private Key File.

        2. Enter a Password, if desired. A password is required if the private key is encrypted.

        3. Click Import.

        4. Optionally, select Auto Accept SSH Host Key to have Safeguard for Privileged Passwords automatically accept the SSH host key when it creates the archive server.

  13. Test Connection: Click this button to verify that the appliance can communicate with this archive server. For details, see:

  14. Click OK.

Once you have configured your archive servers, you need to designate a target archive for both your backup files and session recordings. For backup files, see Archive backup.

Audit Log Maintenance

Appliance Administrators can configure Safeguard for Privileged Passwords to perform weekly maintenance, audit log purge, and audit log archiving to a designated archive server. Archiving audit logs allows you to keep critical and relevant data online and current while eliminating or archiving audit logs that are no longer required.

The benefits of purging audit logs include smaller backups and less audit log data to stream when enrolling a new cluster member. It is recommended you store no more than six months of audit logs on your Safeguard appliance.

The default Audit Log Maintenance configuration is to synchronize data and audit logs only on Saturday at 12 a.m.

CAUTION: Audit Log Maintenance locks the cluster. The operations can take hours depending on the amount of audit log data on the appliance, the amount of data being archived/purged, and the network between the synchronizing nodes in the cluster.

If configured to delete audit logs, each appliance will enter maintenance and be unavailable for approximately 5 minutes at some point during the audit log maintenance window.

View Audit Log Maintenance settings

  1. While connected to the primary appliance, go to Audit Log Maintenance:
    • web client: Navigate to Backup and Retention > Audit Log Maintenance.
  2. If configured, the following displays:
    • Archive: The archive server, if required by the operation.
    • Action: The action defined in Audit Log Maintenance.
    • Schedule: A description of the schedule, such as Every Saturday at 12:00 AM.
    • Next Scheduled Maintenance: The next time the scheduled maintenance will run.
    • Last Successful Archive/Purge: The local time of the last successful archive or purge.
    • Last Failed Archive/Purge: The local time of the last failed archive or purge.
    • Last Audit Log Sync: The local time of the last audit log synchronization.
    • Last Data Sync: The local time of the last data synchronization.

Configure and schedule Audit Log Maintenance

To define and schedule Audit Log Maintenance, configure the following. For a cluster, configure the primary appliance. Each action will take some time to process. The cluster is locked during the process and other cluster operations cannot be performed. You can check progress in the Activity Center..

  1. While connected to the primary appliance, go to Audit Log Maintenance:
    • web client: Navigate to Backup and Retention > Audit Log Maintenance.
  2. Click Settings to configure Audit Log Maintenance .

  3. On the Audit Log Maintenance dialog, select an action:
    • Synchronize data and audit logs only (default action): Data and audit logs are synchronized. If any data fails to synchronize, synchronize will run again on the next day at the configured Start time. Audit logs are not archived or purged from the appliance.
    • Synchronize after archiving and deleting audit logs older than __ days.

      Audit logs older than the number of days specified will be archived to the specified archive server by the primary. Next, those audit logs will be removed from each node, requiring a short maintenance on each. Purged audit logs cannot be recovered. The default is 365 days. The minimum is 30 days and there is no maximum.

      The benefits of purging audit logs include smaller backups and less audit log data to stream when enrolling a new cluster member. It is recommended you store no more than six months of audit logs on your Safeguard appliance. This option is only available if you have configured an archive server. For more information, see Adding an archive server.

      1. Enter the days. Audit logs older than the number of days specified will be archived and then purged from the appliance(s). The default is 365 days. The minimum is 30 days and there is no maximum. Cluster enrollment could take longer if higher retention values are used. Data is also synchronized.
      2. Select a configured archive server in Send to archive server. Audit logs are archived to the specified archive server during a scheduled audit log maintenance or when Run Now is selected.
    • Synchronize after deleting audit logs older than __ days.

      Audit logs older than the number of days specified will be purged from the appliance(s). Purged audit logs cannot be recovered. The default is 365 days. The minimum is 30 days and there is no maximum. The benefits of purging audit logs include smaller backups and less audit log data to stream when enrolling a new cluster member. It is recommended you store no more than six months of audit logs on your Safeguard appliance.

  4. Set the schedule for Audit Log Maintenance to run:
    1. Select the Day of the week. The default is Saturday.
    2. Click Time select the Start Hour. The default is 12:00 a.m.
    3. Select the time zone. The default is Coordinated Universal Time (UTC).
  5. Click OK.

Monitoring the progress of Audit Log Maintenance

Audit Log Maintenance automatically runs the configuration settings and schedule you enter. You can also manually select to run Audit Log Maintenance. Check the results in the Activity Center based on the action. If you need to cancel the operation at any point, follow the steps in Cancel Audit Log Maintenance from the Audit Log Maintenance page.

  • Synchronize data and audit logs only (and not perform archive and delete):
    • Processing and successful completion: Audit log maintenance synchronize has both a data and audit log sync component. These only do work in a cluster. At the beginning of the operation, the cluster is locked for "ensuring data consistency". This can be viewed on both the Audit Log Maintenance summary and in the Settings > Cluster Management.

      The start of data synchronization is recorded with a SynchronizingDataStarted event. Upon completion, the SynchronizingDataCompleted event reports if all data was successfully synchronized or if only a portion completed. Next, the start of the audit log synchronization is recorded with the SynchronizingAuditLogStartedEvent. Upon completion, the SynchronizingAuditLogCompletedEvent will report if all audit logs were successfully synchronized or if only a portion complete.

      In order to ensure every appliance has consistent data and audit logs, synchronize must successfully synchronize all data every week.

    • Failed portions: If the complete events indicate not all sync was successful, the sync will trigger the following day at the configured start hour and retry failed portions.
  • Synchronize after archiving and deleting audit logs older than __ days:
    • Processing: Audit log archiving selects all the audit logs after the purge date to archive. At the beginning of the operation, the cluster is locked for Archiving and/or purging audit logs. Audit log maintenance will proceed with the purge only if the archive is successful. On each appliance, the purge operation will determine if there is data to purge. If so, the replicas will enter maintenance one at a time to purge the data. Each appliance should be in maintenance for less than five minutes. Once complete, the primary will purge while in maintenance. The cluster lock will be released. Audit log maintenance will now proceed to the synchronize operations as detailed in the bullet above.
    • Successful: When the archive is successfully sent to the archive server, it will generate an ArchiveTaskSucceeded event. If purge is required and successful, it will generate the AuditLogPurged event. The cluster lock will be released and the SchedulerJobSucceeded event will mark the end of the archive/purge operations. Audit log maintenance will continue on to synchronize as detailed above.
    • Failed: If the primary appliance is unable to archive the audit logs, there will be no ArchiveTaskSucceeded event and there will be no subsequent purge. The data will remain on all appliances. The archive/purge operation will complete with a SchedulerJobFailed event containing Job ID = core.AuditLogMaintenance. You can see the reason for the failure in the event. Audit log maintenance will continue on to synchronize as detailed above.
  • Synchronize after deleting audit logs older than __ days:
    • Processing: Audit log purging enumerates all the audit logs after the purge date to delete from each appliance in the cluster. The data cannot be recovered. At the beginning of the operation, the cluster is locked for Archiving and/or purging audit logs. On each appliance, the purge operation will determine if there is data to purge. If so, the replicas will enter maintenance one at a time to purge the data. Each appliance should be in maintenance for less than five minutes. Once complete, the primary will purge while in maintenance. The cluster lock will be released. Audit log maintenance will now proceed to the synchronize operations as detailed in the bullet above.
    • Success: If purge is required and successful, it will generate the AuditLogPurged event. The cluster lock will be released and the SchedulerJobSucceeded event will mark the end of the archive/purge operations. Audit log maintenance will continue on to synchronize as detailed above.
    • Failed: If the primary appliance is unable to delete the audit logs, the operation will complete with a SchedulerJobFailed event containing Job ID = core.AuditLogMaintenance. You can see the reason for the failure in the event. Audit log maintenance will continue on to synchronize as detailed above.

Manually run Audit Log Maintenance

You can manually run Audit Log Maintenance. The same operations detailed above based on the Audit Log Maintenance configuration execute. Each action will take some time to process. The cluster is locked during the process and other cluster operations cannot be performed. You can check progress in the Activity Center..

  1. While connected to the primary appliance, go to Audit Log Maintenance:
    • web client: Navigate to Backup and Retention > Audit Log Maintenance.
  2. Click Settings to ensure the Audit Log Maintenance configuration is correct.
  3. Click Run Now to run Audit Log Maintenance as configured. You will be presented with a confirmation dialog box. How you proceed will depend on the action you selected:
    • If the action is Synchronize data and audit logs only (and not perform archive and delete), the Synchronize Data and Audit Logs dialog box displays.
    • If the action is Synchronize after archiving and deleting audit logs older than __ days, the Archive dialog box displays with the name of the archive server.
    • If the action is Synchronize after deleting audit logs older than __ days, the Purge Audit Log dialog displays indicating that the audit log will be purged according to the retention policy (the number of days you entered). Purged audit logs cannot be recovered.

Cancel Audit Log Maintenance from the Audit Log Maintenance page

When Audit Log Maintenance is running, the cluster is locked and a Cancel button is available. When you click Cancel, you will be presented with an Unlock Cluster confirmation dialog. Enter Unlock Cluster and click OK. The cluster lock is released immediately, however you must monitor Activity Center as follows to ensure the operations are complete. For more information, see Monitoring the progress of Audit Log Maintenance..

  • Synchronize data and audit logs only: When you cancel, the lock is release immediately, however you must monitor Activity Center for completion of the work. In the Activity Center, wait for the SynchronizingDataCompletedEvent then the SynchronizingAuditLogsCompletedEvent to appear before proceeding with other clustering operations to ensure all nodes in the cluster hold all of the audit data. Once canceled, the cluster will try and complete the audit log synchronization on the Audit Log Management Start Hour on the next day.
  • Synchronize after archiving and deleting audit logs older than __ days: When you cancel, the lock is release immediately, however you must monitor Activity Center for completion of the work. If you elect to cancel while the cluster is locked for Archiving and/or purging audit logs, monitor Activity Center for the SchedulerJobSucceeded or SchedulerJobFailed event, containing Job Id = core.AuditLogMaintenance, indicating the archive/purge has completed. Audit Log Maintenance will continue to synchronize regardless. You will also need to cancel once you see the cluster is locked for Ensuring data consistency. Monitor the Activity Center for the SynchronizingAuditLogCompleted event indicating the operation completed. It is now safe to continue with your clustering operation.
  • Synchronize after deleting audit logs older than __ days: When you cancel the lock is release immediately, however you must monitor Activity Center for completion of the work. If you elect to cancel while the cluster is locked for Archiving and/or purging audit logs, monitor Activity Center for the SchedulerJobSucceeded or SchedulerJobFailed event, containing Job Id = core.AuditLogMaintenance, indicating the archive/purge has completed. Audit Log Maintenance will continue to synchronize regardless. You will also need to cancel once you see the cluster is locked for Ensuring data consistency. Monitor the Activity Center for the SynchronizingAuditLogCompleted event indicating the operation completed. It is now safe to continue with your clustering operation.

To cancel Audit Log Maintenance from Cluster Management

You can also cancel Audit Log Maintenance from Cluster Management by unlocking the cluster with the following steps. For more information, see Unlocking a locked cluster..

  1. Go to Cluster Management:
    • web client: Navigate to Cluster > Cluster Management.
  2. On Cluster Management, a banner like the following displays: Archiving and/or purging audit logs and the Start Time displays. The message reminds you that the cluster is locked during the process and other cluster operations cannot be performed. The cluster will unlock automatically when the operation is complete.
  3. Click the lock icon in the upper right corner of the warning banner.
  4. In the Unlock Cluster confirmation dialog, enter Unlock Cluster and click OK.

    This will release the cluster lock that was placed on all of the appliances in the cluster and close the operation.

IMPORTANT: Care should be taken when unlocking a locked cluster. It should only be used when you are sure that one or more appliances in the cluster are offline and will not finish the current operation. If you force the cluster unlock, you may cause instability on an appliance, requiring a factory reset and possibly the need to rebuild the cluster. If you are unsure about the operation in progress, do NOT unlock the cluster.

Backup and Restore

It is the responsibility of the Appliance Administrator to manage Safeguard for Privileged Passwords backups.

As a best practice, store backups on an archive server that is external from the appliance so that the backup image is available for restoration even if there is a catastrophic disk or hardware failure. Keep only a minimum number of backup files on the appliance. After you download or archive the Safeguard Backup Files (.sgb), use Delete to remove them. You can set the maximum number of backup files you want Safeguard for Privileged Passwords to retain on the appliance in Backup and Retention.

For maximum backup protection, Appliance Administrators can configure the cluster wide GPG public key or password encryption. Either will protect all subsequent backups generated from each appliance in the cluster. GPG protection will apply when downloaded or archived. Password protection will apply when generated. For details, see:

  • Go to Backup and Restore:
    • web client: Navigate to Backup and Retention > Backup and Restore.

    The Backup and Restore page lists this information for the backups that are currently in the database.

    Table 19: Backup and Restore: Properties
    Property Description
    Date The date of the backup
    Progress

    The status of the backup: Running or Complete

    File Size (MB) The size of the backup file in megabytes
    Appliance Name The name of the appliance
    Appliance Version The version of the Safeguard for Privileged Passwords Appliance

    Protection Type

    Hover over an icon to view the type of protection:

    • (default) Standard protection: No password or GPG key is required.
    • GPG public key protection: A private key is required to upload the backup to be restored.
    • Password protection: A password is required to restore the backup.
    User

    The name of the user that created the backup

    Last Archived Date The date the selected backup ran
    Archive Server Name

    The name of the server on which the backup was archived

    File Name

    The Safeguard backup file name which is an .sgb file.

    Use these toolbar buttons to manage Safeguard for Privileged Passwords backups.

    Table 20: Backup and Restore: Toolbar
    Option Description
    Run Now

    Create a backup copy of the data that is currently on the appliance. For more information, see Run Now..

    Remove

    Remove the selected backup file from the Backups page and the Safeguard for Privileged Passwords database. The backup is immediately removed.

    Download

    Save the selected backup file in a location on your appliance. For more information, see Download a backup..

    Download VM Compatible

    Use this option to download a VM compatible backup, which can then be uploaded and restored on a Safeguard for Privileged Passwords virtual machine. In order to download a VM compatible backup it must have been created with password or GPG public key protection settings. To enable the option to download a VM compatible backup of a hardware appliance, see Authorize VM Compatible Backups.

    IMPORTANT: You cannot upload a backup to hardware that has been downloaded from hardware as VM compatible.

    Upload

    Retrieve a backup file from a file location and add it to the Backups page list. For more information, see Upload a backup..

    Restore

    For the selected backup file, overwrite the current data and restore Safeguard for Privileged Passwords to the selected backup. For more information, see Restore a backup..

    Archive

    Store the selected backup file on an external archive server. For more information, see Archive backup..

    Settings
    Refresh

    Update the list of backup files on the Backups page.

  • Run Now

    You can click Run Now to manually trigger and create a new backup. If password or GNU Privacy Guard (GPG) encryption is set for appliance or on the primary appliance for cluster-wide encryption, those encryption settings are enforced when you select Run Now.

    If you have selected Send to archive server, the backup will be sent to the archive server. For more information, see Backup settings..

    To create a new backup

    1. Navigate to Backup and Restore:
      • web client: Navigate to Backup and Retention > Backup and Restore.
    2. Click  Run Now. In the web client, an Adding backup file progress bar displays to let you know the process is Running.
    3. If password encryption is required on an appliance or a primary appliance for cluster-wide backup encryption, you are prompted to enter the password. If encryption is set, make sure the password or private GPG key is available for restoring the backup later, if necessary. For more information see, Backup and restore, Backup protection settings.
    4. Verify that the Safeguard Backup File (.sgb) has been created.

    Caution: If you restore a backup that is older than the Maximum Password Age set in the Local Login Control settings, all user accounts (including the bootstrap administrator) will be locked out and you will have to reset all of the user account passwords. To avoid this situation, you can reset the Maximum Password Age to zero before you perform the backup, then reset it after the restore.

    TIP: As a best practice, perform backups more frequently than the Maximum Password Age setting.

    Caution: Safeguard for Privileged Passwords can not restore any access request workflow events in process at the time of a backup.

    CAUTION: When restoring a backup that was created with a Hardware Security Module integration in place, the encryption key used at the time of the backup creation needs to still be present and accessible by the Safeguard for Privileged Passwords appliance. If not, the appliance will not be able to verify the Hardware Security Module configuration used to encrypt the data in the backup. You will be allowed to continue with the restore, however the Safeguard for Privileged Passwords appliance will most likely Quarantine in the process, so this is not recommended.

    Related Documents

    The document was helpful.

    Select Rating

    I easily found the information I needed.

    Select Rating