Chat now with support
Chat with Support

One Identity Safeguard for Privileged Passwords 8.0 LTS - Administration Guide

Introduction System requirements Using API and PowerShell tools Using the virtual appliance and web management console Cloud deployment considerations Setting up Safeguard for Privileged Passwords for the first time Using the web client Home page Privileged access requests Appliance Management
Appliance Backup and Retention Certificates Cluster Global Services External Integration Real-Time Reports Safeguard Access Appliance Management Settings
Asset Management
Account Automation Accounts Assets Partitions Discovery Profiles Tags Registered Connectors Custom platforms Importing objects
Security Policy Management
Access Request Activity Account Groups Application to Application Cloud Assistant Asset Groups Entitlements Linked Accounts User Groups Security Policy Settings
User Management Reports Vaults Disaster recovery and clusters Administrator permissions Preparing systems for management Troubleshooting Frequently asked questions Appendix A: Safeguard ports Appendix B: SPP and SPS join guidance Appendix C: Regular Expressions

Backup settings

You can configure an automatic backup schedule.

If you schedule a backup and a backup has already occurred for that interval (minute, hour, day, week, or month), another backup will not execute until the following minute, hour, day, week, or month. For example, if a backup has already occurred today and you set the backup schedule to run a daily backup, Safeguard for Privileged Passwords will not run the backup until tomorrow.

The backup schedule window end time must be after the start time.

Backup files to retain

In addition to completing the settings in the steps which follow, you can configure the maximum number of backup files you want Safeguard for Privileged Passwords to store on the appliance on the Backup Retention page.

To configure the backup schedule

  1. Go to Backup and Restore:
    • web client: Navigate to Backup and Retention > Backup and Restore.
  2. Based on the client you are using, do one of the following:
    • web client: Click  Settings.
  3. In the Backup Settings dialog, specify the backup schedule.

  4. Enter the schedule.

    • Select a time frame:

      • Never: The job will not run according to a set schedule. You can still manually run the job.
      • Minutes: The job runs per the frequency of minutes you specify. For example, Run Every 30/Minutes runs the job every half hour over a 24-hour period. It is recommended you do not use the frequency of minutes except in unusual situations, such as testing.
      • Hours: The job runs per the minute setting you specify. For example, if it is 9 a.m. and you want to run the job every two hours at 15 minutes past the hour starting at 9:15 a.m., select Run Every 2/Hours/@ minutes after the hour 15.

      • Days: The job runs on the frequency of days and the time you enter.

        For example, Run Every 2/Days/Starting @ 11:59:00 PM runs the job every other evening just before midnight.

      • Weeks The job runs per the frequency of weeks at the time and on the days you specify.

        For example, Run Every 2/Weeks/Starting @ 5:00:00 AM and Repeat on these days with MON, WED, FRI selected runs the job every other week at 5 a.m. on Monday, Wednesday, and Friday.

      • Months: The job runs on the frequency of months at the time and on the day you specify.

        For example, If you select Run Every 2/Months/Starting @ 1:00:00 AM along with Day of Week of Month/First/Saturday, the job will run at 1 a.m. on the first Saturday of every other month.

    • Select Use Time Windows if you want to enter the Start and End time. You can click Add or Remove to control multiple time restrictions. Each time window must be at least one minute apart and not overlap.

      For example, for a job to run every ten minutes every day from 10 p.m. to 2 a.m., enter these values:

      Enter Run Every 10/Minutes and set Use Time Windows:

      • Start 10:00:00 PM and End 11:59:00 PM
      • Start 12:00:00 AM and End 2:00:00 AM

        An entry of Start 10:00:00 PM and End 2:00:00 AM will result in an error as the end time must be after the start time.

      If you have selected Days, Weeks, or Months, you will be able to select the number of times for the job to Repeat in the time window you enter.

      For a job to run two times every other day at 10:30 am between the hours of 4 a.m. and 8 p.m., enter these values:

      For days, enter Run Every 2/Days and set Use Time Windows as Start 4:00:00 AM and End 8:00:00 PM and Repeat 2.

    If the scheduler is unable to complete a task within the scheduled interval, when it finishes execution of the task, it is rescheduled for the next immediate interval.

  5. In Send to archive server, select an already configured archive server to store the backup files externally from the appliance during a scheduled backup or when manually running a backup.This option is only available if you have configured an archive server. For more information, see Adding an archive server..
  6. You can select the Backup Protection settings. For more information, see Backup protection settings..
  7. Click OK to save your changes and leave the page. In the web client, you can click Apply to save your changes and stay on the page.

Backup protection settings

For maximum protection, set backup encryption on an appliance or on a primary appliance for cluster-wide protection. You may encrypt a Safeguard Backup File (.sgb) with one of the following methods:

  • Standard (default): No password or GPG key is required.
  • Password: You can enter any password value. You must have the password to restore the backup.

    CAUTION: Make sure to save the password in a safe vault. There is no way to recover the password needed to restore the backup.

  • GNU Privacy Guard (GPG) public key (RSA only): You can upload a .txt file with the public key and meta data or copy and paste the public key and meta data to Safeguard for Privileged Passwords. A backup file created with a GPG public key is encrypted when it is downloaded or archived. Only the private key holder can decrypt the backup file prior to the file being uploaded and restored. Once the private key holder decrypts the backup, the backup is the same as a backup generated when only appliance protection was selected.

    CAUTION: Make sure to save the GPG private key in a safe vault. There is no way to unencrypt the GPG protected file without the private key.

Once set, future backups created manually or automatically are protected.

Safeguard for Privileged Passwords detects all attempted uploads of an invalid backup. If a backup is GNU Privacy Guard (GPG) encrypted, a message like the following displays: The uploaded file could not be validated as a genuine Safeguard backup image. It has been blocked from the appliance. An audit event is created for the failed backup load with the error reasons which include an invalid signature.

For details, see:

To configure backup protection

  1. If you will use GPG key protection, generate your public key file and create a .txt file to be uploaded or copy and pasted.
  2. Go to Backup and Restore:
    • web client: Navigate to Backup and Retention > Backup and Restore. Then, click Settings.
  3. From the Backup Settings dialog, select the type of backup protection for the appliance. The settings on a primary appliance are replicated to the cluster. The settings are read-only on each cluster node.
    • Appliance Protection Only: This is the default and includes no password or GPG Key protection of the backup. The backup is only encrypted as a Safeguard genuine backup.
    • Add Password Protection: Once selected, enter the password in the Backup Password text box. If a password already exists, a static number of dots display. You can type in a new password in place of the existing password and then confirm the password. The password you type in is used for backups made from the time the password is set until it is changed. Make sure to keep the password information in a safe vault.
    • Add GPG Key Protection: Once selected, do one of the following:
      • Click Browse to upload the public key file from a .txt file you created earlier.
      • Paste the public key information generated earlier into the text box.

      When you navigate back to this dialog, you will see the name, fingerprint, and the detail to identify the public key file.

      The GPG public key you submit is used for backups generated from the time protection is set until it is changed. Once a backup is generated while GPG is set, it will always be downloaded or archived with the GPG public key encryption, regardless of any settings changed on the appliance after it is generated. The GPG public key encryption stays with the backup metadata. In addition, if you upload the backup to another appliance, downloading the backup again will encrypt it with the same GPG public key originally provided.

  4. Click OK.

Backup Retention

It is the responsibility of the Appliance Administrator to configure the maximum number of backup files you want Safeguard for Privileged Passwords to store on the appliance.

To configure the appliance backup retention settings

  1. Go to Backup Retention:
    • web client: Navigate to Backup and Retention > Backup Retention.
  2. Enter the maximum number of backup files you want to store on the appliance. You can enter 0 to 40 for the number of backup files that will be stored on the appliance. Then click Save.

Once Safeguard for Privileged Passwords saves the maximum number of backup files, next time it performs a backup, it deletes the backup file with the oldest date.

Authorize VM Compatible Backups

The Safeguard for Privileged Passwords web client allows you to generate a backup on a hardware appliance which can then be uploaded and restored on a Safeguard virtual machine.

IMPORTANT: Due to the potential security risk with migrating from a hardware appliance to a virtual machine, the Appliance Administrator making the request is required to contact One Identity Support as part of this process before they will be able to complete enabling this feature. This approval is indicated by the Not Authorized/Authorized indicator at the top of the Authorize VM Compatible Backups page.

IMPORTANT: You cannot upload a backup to a hardware appliance which was previously downloaded from hardware as VM compatible. Such a backup can only be uploaded to a Safeguard virtual machine.

IMPORTANT: This feature is not available on a replica within a cluster.

To authorize generating a hardware appliance backup for use on a virtual machine

  1. Navigate to Backup and Retention > Authorize VM Compatible Backups.
  2. In the Challenge Request User Identifier field, enter the name of the user requesting permission for the backup to be generated.

  3. Click Generate Request.

    NOTE: Only one challenge request can be active at a time. If there is a pending challenge request already active, you can cancel the active request by selecting the Invalidate Existing Challenge Request check box before generating a new request.

  4. A Challenge Request text box will appear. This text box contains the information needed by One Identity to confirm the VM compatible backup authorization request is valid. Use one of the following options to copy the information:

    • Copy Request: This copies the challenge request to your clipboard.

    • Download Request: This downloads the challenge request to a text file.

  5. Contact One Identity Support regarding your request to authorize the download of VM compatible backups from a hardware appliance. When requested, send the copied or downloaded challenge request to One Identity Support.

  6. Once One Identity Support has confirmed the request, a challenge response will be sent back. This text needs to be copy/pasted or uploaded (using the Browse button) to the Challenge Response text box.

  7. Click Verify Response to confirm the request as been approved.

    Once confirmed, an Authorized indicator will be displayed at the top of the Authorize VM Compatible Backups page. The Download VM Compatible option will now be available through the button on the Backup and Restore page on hardware appliances. In order to download a VM compatible backup it must have been created with password or GPG public key protection settings.

    You can use the Remove Authorization button to disable this feature. To reenable a new Challenge Request must be sent to One Identity Support.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating