Chat now with support
Chat with Support

One Identity Safeguard for Privileged Sessions 5.8.0 - Administration Guide

Preface Introduction The concepts of SPS The Welcome Wizard and the first login Basic settings User management and access control Managing SPS
Controlling SPS: reboot, shutdown Managing Safeguard for Privileged Sessions clusters Managing a high availability SPS cluster Upgrading SPS Managing the SPS license Accessing the SPS console Sealed mode Out-of-band management of SPS Managing the certificates used on SPS
General connection settings HTTP-specific settings ICA-specific settings RDP-specific settings SSH-specific settings Telnet-specific settings VMware Horizon View connections VNC-specific settings Indexing audit trails Using the Search (classic) interface Using the Search interface Searching session data on a central node in a cluster Advanced authentication and authorization techniques Reports The SPS RPC API The SPS REST API SPS scenarios Troubleshooting SPS Configuring external devices Using SCP with agent-forwarding Security checklist for configuring SPS Jumplists for in-product help Third-party contributions About us

Configuring public-key authentication using an LDAP server and a fixed key

Purpose:

To fetch the public keys of the users from an LDAP server and use a locally-stored private-public keypair in the server-side connection, complete the following steps:

NOTE:

One Identity recommends using 2048-bit RSA keys (or stronger).

Steps:
  1. Navigate to SSH Control > Authentication Policies and create a new Authentication Policy.

  2. Select Authenticate the client to PSM using > LDAP > Public key, deselect all other options.

  3. Select Relayed authentication methods > Public key > Fix, deselect all other options.

  4. Select Private key and click . A pop-up window is displayed.

  5. Click Browse and select the private key of the user, or paste the key into the Copy-paste field. Enter the password for the private key into the Password field and click Upload.

    NOTE:

    SPS accepts passwords that are not longer than 150 characters. The following special characters can be used: !"#$%&'()*+,-./:;<=>?@[\]^-`{|}

    If the private key of the user is not available, click Generate to create a new private key. You can set the size of the key in the Generate key field. In this case, do not forget to export the public key from SPS and import it to the server. To export the key from SPS, just click on the key and save it to your local computer.

  6. Click on the fingerprint of the key in the Server side private and public key > Private key field and save the public key. Do not forget to import this public key to the server: all connections that use this new authentication policy will use this keypair on the server side.

  7. Click Commit.

  8. Navigate to Policies > LDAP Servers and click to create a new LDAP policy.

  9. Enter the parameters of the LDAP server. For details, see Authenticating users to an LDAP server.

  10. If different from sshPublicKey, enter the name of the LDAP attribute that stores the public keys of the users into the Publickey attribute name field.

    Caution:

    The public keys stored in the LDAP database must be in OpenSSH format.

  11. Navigate to SSH Control > Connections and create a new Connection.

  12. Enter the IP addresses of the clients and the servers into the From and To fields.

  13. Select the authentication policy created in Step 1 from the Authentication Policy field.

  14. Select the LDAP policy created in Step 7 from the LDAP Server field.

  15. If the server accepts a user only from a specific IP address, select the Use original IP address of the client radiobutton from the SNAT field.

  16. Configure the other options of the connection as necessary.

  17. Click Commit.

  18. To test the above settings, initiate a connection from the client machine to the server.

Configuring public-key authentication using an LDAP server and generated keys

Purpose:

To fetch the public keys of the users from an LDAP server and have SPS generate a keypair that is used in the server-side connection on-the-fly, and upload the public key of this pair to the LDAP database, complete the following steps:

Steps:
  1. Navigate to SSH Control > Authentication Policies and create a new Authentication Policy.

  2. Select Authenticate the client to PSM using > LDAP > Public key, deselect all other options.

  3. Select Relayed authentication methods > Public key > Publish to LDAP, deselect all other options.

  4. Click Commit.

  5. Navigate to Policies > LDAP Servers and click to create a new LDAP policy.

  6. Enter the parameters of the LDAP server. For details, see Authenticating users to an LDAP server.

  7. If different from sshPublicKey, enter the name of the LDAP attribute that stores the public keys of the users into the Publickey attribute name field.

    Caution:

    The public keys stored in the LDAP database must be in OpenSSH format.

  8. Enter the name of the LDAP attribute where SPS shall upload the generated keys into the Generated publickey attribute name field.

  9. Click Commit.

  10. Navigate to SSH Control > Connections and create a new Connection.

  11. Enter the IP addresses of the clients and the servers into the From and To fields.

  12. Select the authentication policy created in Step 1 from the Authentication Policy field.

  13. Select the LDAP policy created in Step 7 from the LDAP Server field.

  14. If the server accepts a user only from a specific IP address, select the Use original IP address of the client radiobutton from the SNAT field.

  15. Configure the other options of the connection as necessary.

  16. Click Commit.

  17. To test the above settings, initiate a connection from the client machine to the server.

Organizing connections in non-transparent mode

When using SPS in non-transparent mode, the administrators must address SPS to access the protected servers. If an administrator has access to more than one protected server, SPS must be able to determine which server the administrator wants to access. For each protected server, the administrators must address either different ports of the configured interface, or different alias IP addresses.

Organizing connections based on port numbers

Purpose:

To allow the administrators to access protected servers by connecting to the IP address of SPS, and use the port number to select which server they want to access. Organizing connections based on port numbers is advantageous if SPS has a public IP address and the protected servers must be administered from the Internet.

NOTE:

Do not use the listening addresses configured for web login. For more details, see Configuring user and administrator login addresses.

For details on configuring alias IP addresses, see Managing logical interfaces.

Steps:
  1. Navigate to the Connections tab of the SSH Control menu.

  2. Add a new connection. Enter the IP address of the administrators into the From fields, and the IP address and port number of the server into the Target field.

  3. Enter the IP address of the logical interface of SPS into the To field, and enter a port number into the Port field.

  4. Repeat Steps 2-3 for every protected server, but every time use a different port number in Step 3.

  5. Click Commit.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating