Chat now with support
Chat with Support

One Identity Safeguard for Privileged Passwords 7.5 - Administration Guide

Introduction System requirements and versions Using API and PowerShell tools Using the virtual appliance and web management console Cloud deployment considerations Setting up Safeguard for Privileged Passwords for the first time Using the web client Home page Privileged access requests Appliance Management
Appliance Backup and Retention Certificates Cluster Global Services External Integration Real-Time Reports Safeguard Access Appliance Management Settings
Asset Management
Account Automation Accounts Assets Partitions Discovery Profiles Tags Registered Connectors Custom platforms Importing objects
Security Policy Management
Access Request Activity Account Groups Application to Application Cloud Assistant Asset Groups Entitlements Linked Accounts User Groups Security Policy Settings
User Management Reports Disaster recovery and clusters Administrator permissions Preparing systems for management Troubleshooting Frequently asked questions Appendix A: Safeguard ports Appendix B: SPP and SPS join guidance Appendix C: Regular Expressions

Checking, changing, or setting an SSH key

The Asset Administrator can manually check, change, or set an SSH key.

To manually check, change, or set an SSH key

  1. Navigate to Asset Management > Accounts.

  2. In Accounts, select an account from the object list.

  3. Click View Details from the toolbar.

  4. Navigate to Properties > Secrets.

  5. The SSH Key tile available on this page provides the following options:

  6. Select one of these option.

    • Set to set the SSH key in the SPP database. The Set option does not change the account SSH key on the asset. The Set option provides the following options.

      • Generate an SSH Key: Generate a new SSH key and assign it to the account. The SSH key complies with the SSH key rule that is set in the account's profile.

        CAUTION: Do not generate a new SSH key for a service account because the connection to the asset will be lost. Instead, use the Change option for SSH Keys.

        After you select Generate, the key is generated and saved in the SPP database. The following fields display.

        • Account: The account name

        • Fingerprint: The fingerprint of the SSH key used for authentication

        • Key Comment: Information about the SSH key

        • Type: The SSH authentication key type, such as RSA or DSA. For more information, see SSH Key Profiles..

        • Length: The length of the SSH authentication key. For more information, see SSH Key Profiles..

        • Public Key: The generated key; click Copy to put it into your copy buffer. You can then log in to your device, using the old SSH key, and change it to the SSH key in your copy buffer.

      • Import an SSH Key: Import a private key file for an SSH key that has been generated outside of SPP and assign it to the account. Click Browse to import the key file, enter a Password, then click OK.

        When importing an SSH key that has already been manually configured for an account on an asset, it is recommended that you first verify that the key has been correctly configured before importing the key. For example, you can run an SSH client program to check that the private key can be used to login to the asset: ssh -i <privatekeyfile> -l <accountname> <assetIp>. Refer to the OpenSSH server documentation for the target platform for more details on how to configure an authorized key.

        NOTE:SPP does not currently manage the options for an authorized key. If an imported key has any options configured in the authorized keys file on the asset, these options will not be preserved when the key is rotated by SPP.

      • Deploy SSH Key: If not already configured, install the account's current SSH key on the asset in the correct file for the account.

    • Check to verify the account SSH key is in sync with the SPP database. If the SSH key verification fails, you can change it.

    • Change to reset and synchronize the SSH key with the SPP database. For service accounts, use this selection and do not use Generate SSH Key to change the SSH key.

Viewing SSH key archive

The Asset Administrator can access a previous SSH key for an account for a specific date.

The SSH Key Archive dialog only displays previously assigned SSH keys for the selected asset based on the date specified. This dialog does not display the current SSH key for the asset. The SSH key archive is never purged.

You view an account's SSH key validation and reset history on the Check and Change Log tab.

To access an account's previous SSH key

  1. Navigate to Asset Management > Accounts.
  2. Select an account and click (View Details).
  3. Navigate to Properties > Secrets.
  4. On the SSH Key tile, click View Archive.

  5. In the SSH Key Archive dialog, select a date. If you select today's date (or a previous date) and no entries are returned, this indicates that the asset is still using the current SSH key.

  6. In the View column, click to display the SSH key that was assigned to the asset at that given date and time.
  7. In the details dialog, click Copy to copy the SSH key to your copy buffer, or click OK to close the dialog.

Adding an API key

The Asset Administrator can manually add an API key to an account.

To add an API key

  1. Navigate to Asset Management > Accounts.

  2. In Accounts, select an account from the object list.
  3. Click (View Details) from the toolbar.
  4. Navigate to Properties > Secrets.

  5. In the API Keys section, click the New API Key button.

  6. Depending on the type of account, the following information may be required:

    1. Name: Enter the name of the API key. This must match the name used in the platform.

    2. Description: Enter a description of the API key.

    3. Expires: Enter the number of days before the key will expire.

  7. You can also set the API Key to match an existing key for the account. This option does not change the API key information on the platform. This can be done at a later time (using the Set button associated with the API key tile) or a new key will be generated when the key is changed. The following options may appear depending on the type of platform:

    1. Client Identifier: Copy the client identifier from the platform and add it to this field.

    2. Client Secret: Copy the client secret from the platform and add it to the field. Once configured, click  Copy to put it into your copy buffer. You can then log in to your device, using the old client secret, and change it to the client secret in your copy buffer.

    3. Client Secret Identifier (Azure AD only): Copy the client secret identifier from the platform and add it to the field. If the identifier doesn't match, when you attempt to change the API key for the Azure AD platform it will create a new one with the identifier set in Safeguard for SPP.

  8. Click Save.

Checking, changing, or setting an API key

The Asset Administrator can manually check, change, or set an API key associated with Azure AD and AWS connectors.

To manually check, change, or set an API key

NOTE: Should 4 or more API keys be configured, the tiles will be condensed into a single summary tile. To access and manage the individual API keys, click the name of the tile (API Keys <n>). This will open a pane containing a table view of the configured API keys as well as toolbar options for managing the keys.

  1. Navigate to Asset Management > Accounts.

  2. In Accounts, select an account from the object list.
  3. Click (View Details) from the toolbar.
  4. Navigate to Properties > Secrets.

  5. Each configured API key is represented by a tile available on this page which provides the following options: 

    1. Set to set the API key secret in the SPP database. This option does not change the API key information on the platform. The following options may appear depending on the type of platform:

      1. Client Identifier: Copy the client identifier from the platform and add it to this field.

      2. Client Secret: Copy the client secret from the platform and add it to the field. Once configured, click  Copy to put it into your copy buffer. You can then log in to your device, using the old client secret, and change it to the client secret in your copy buffer.

      3. Client Secret Identifier (Azure AD only): Copy the client secret identifier from the platform and add it to the field. If the identifier doesn't match, when you attempt to change the API key for the Azure AD platform it will create a new one with the identifier set in Safeguard for SPP.

      4. Set Client Secret: Click this button to save the configuration.

    2. Check to verify the API key is in sync with the SPP database. If the API key verification fails, you can change it.

    3. Change to reset and synchronize the API key with the SPP database.

    4. (Remove): Click this button to remove a previously configured API Key.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating