Chat now with support

Get Live Help
Complete Registration

Sign In

Request Pricing

Contact Sales

One Identity Safeguard for Privileged Sessions 5.9.0 - Administration Guide

Table of Contents

Summary of changes

Introduction The concepts of SPS

The philosophy of SPS Policies Credential Stores Plugin framework Indexing Supported protocols and client applications Modes of operation

Transparent mode Single-interface transparent mode Non-transparent mode Inband destination selection

Connecting to a server through SPS

Connecting to a server through SPS using SSH Connecting to a server through SPS using RDP Connecting to a server through SPS using an RD Gateway

Archive and backup concepts

Configuration export System backup Connection backup Connection archive Support bundle Debug logs Connection logs Core dump files

Maximizing the scope of auditing IPv6 in SPS SSH hostkeys Authenticating clients using public-key authentication in SSH The gateway authentication process Four-eyes authorization Network interfaces High Availability support in SPS Versions and releases of SPS Accessing and configuring SPS

The Welcome Wizard and the first login

The initial connection to SPS

Creating an alias IP address (Microsoft Windows) Creating an alias IP address (Linux) Modifying the IP address of SPS Accessing the Welcome Wizard from a non-standard interface

Configuring SPS with the Welcome Wizard Logging in to SPS and configuring the first connection

Supported web browsers and operating systems The structure of the web interface

Elements of the main workspace Multiple users and locking Web interface timeout Preferences

Network settings

Configuring user and administrator login addresses Managing logical interfaces Routing uncontrolled traffic between logical interfaces Configuring the routing table

Configuring date and time System logging, SNMP and e-mail alerts

Configuring system logging Configuring e-mail alerts Configuring SNMP alerts Querying SPS status information using agents Customize system logging in SPS

Configuring system monitoring on SPS

Configuring monitoring Health monitoring Preventing disk space fill-up System related traps Traffic related traps

Data and configuration backups

Creating a backup policy using Rsync over SSH Creating a backup policy using SMB/CIFS Creating a backup policy using NFS Creating configuration backups Creating data backups Encrypting configuration backups with GPG

Archiving and cleanup

Creating a cleanup policy Creating an archive policy using SMB/CIFS Creating an archive policy using NFS Archiving or cleaning up the collected data

Forwarding logs

Using the Splunk forwarder Universal Siem Forwarder

ContentMessage MetaMessage ScoreMessage

User management and access control

Managing SPS users locally

Creating local users in SPS Deleting a local user from SPS

Setting password policies for local users Managing local usergroups Managing SPS users from an LDAP database Authenticating users to a RADIUS server Authenticating users with X.509 certificates Managing user rights and usergroups

Assigning privileges to usergroups for the SPS web interface Modifying group privileges Finding specific usergroups Using usergroups Built-in usergroups of SPS

Listing and searching configuration changes

Using the internal search interface

Filtering Customizing columns of the internal search interface Customizing columns of the internal search interface

Displaying the privileges of users and user groups

Controlling SPS: reboot, shutdown

Disabling controlled traffic Disabling controlled traffic permanently

Managing Safeguard for Privileged Sessions clusters

Cluster roles Enabling cluster management Building a cluster Assigning roles to nodes in your cluster Configuration synchronization across nodes in a cluster

Configuration synchronization and SSH keys Using a configuration synchronization plugin

Monitoring the status of nodes in your cluster Updating the IP address of a node in a cluster

Managing a high availability SPS cluster

Adjusting the synchronization speed Redundant heartbeat interfaces Next-hop router monitoring

Upgrade checklist Upgrading SPS (single node) Upgrading a high availability SPS cluster Troubleshooting Exporting the configuration of SPS Importing the configuration of SPS

Managing the SPS license

Updating the SPS license

Accessing the SPS console

Using the console menu of SPS Enabling SSH access to the SPS host Changing the root password of SPS Firmware update using SSH Exporting and importing the configuration of SPS using the console

Disabling sealed mode

Out-of-band management of SPS

Configuring the IPMI interface from the console Configuring the IPMI interface from the BIOS

Managing the certificates used on SPS

Generating certificates for SPS Uploading external certificates to SPS Generating TSA certificate with Windows Certificate Authority on Windows Server 2008 Generating TSA certificate with Windows Certificate Authority on Windows Server 2012

General connection settings

Configuring connections Modifying the destination address Configuring inband destination selection Modifying the source address Creating and editing channel policies Real-time content monitoring with Content Policies

Creating a new content policy

Configuring time policies Creating and editing user lists Authenticating users to an LDAP server Audit policies

Encrypting audit trails Timestamping audit trails with built-in timestamping service Timestamping audit trails with external timestamping service Digitally signing audit trails

Verifying certificates with Certificate Authorities Signing certificates on-the-fly Creating a Local User Database Configuring cleanup for the SPS connection database

HTTP-specific settings

Limitations in handling HTTP connections Authentication in HTTP and HTTPS Creating a new HTTP authentication policy Setting up HTTP connections

Setting up a transparent HTTP connection Enabling SPS to act as a HTTP proxy Enabling SSL encryption in HTTP Configuring half-sided SSL encryption in HTTP

Session-handling in HTTP Creating and editing protocol-level HTTP settings

ICA-specific settings

Setting up ICA connections Supported ICA channel types Creating and editing protocol-level ICA settings SPS deployment scenarios in a Citrix environment Troubleshooting Citrix-related problems

RDP-specific settings

Supported RDP channel types Creating and editing protocol-level RDP settings Network Level Authentication (NLA) with SPS

Network Level Authentication (NLA) with domain membership Using SPS across multiple domains Network Level Authentication without domain membership

Verifying the certificate of the RDP server in encrypted connections Enabling TLS-encryption for RDP connections Using SPS as a Remote Desktop Gateway Configuring Remote Desktop clients for gateway authentication Inband destination selection in RDP connections Usernames in RDP connections Saving login credentials for RDP on Windows Configuring RemoteApps

SSH-specific settings

Setting the SSH host keys and certificates of the connection Supported SSH channel types Authentication Policies

Creating a new authentication policy Client-side authentication settings

Local client-side authentication

Relayed authentication methods Configuring your Kerberos environment Kerberos authentication settings

Server host keys and certificates

Automatically adding the host keys and host certificates of a server to SPS Manually adding the host key or host certificate of a server

Creating and editing protocol-level SSH settings Supported encryption algorithms

Telnet-specific settings

Enabling TLS-encryption for Telnet connections Creating a new Telnet authentication policy Extracting username from Telnet connections Creating and editing protocol-level Telnet settings Inband destination selection in Telnet connections Limitations of using TN5250 protocol with IBM iSeries Access for Windows

VMware Horizon View connections

SPS deployment scenarios in a VMware environment

VNC-specific settings

Enabling TLS-encryption for VNC connections Creating and editing protocol-level VNC settings

Indexing audit trails

Configuring the internal indexer Configuring external indexers

Prerequisites and limitations Hardware requirements for the external indexer host Configuring SPS to use external indexers Installing the external indexer Configuring the external indexer Uploading decryption keys to the external indexer Configuring a hardware security module (HSM) or smart card to integrate with external indexer

Setting up and testing the environment Encrypting a PKCS#11 PIN Starting and restarting the external-indexer service when using a custom password for PKCS#11 PIN encryption Configuring SoftHSM Configuring AWS CloudHSM Configuring a smart card

Customizing the indexing of HTTP traffic Starting the external indexer Disabling indexing on SPS Managing the indexers Upgrading the external indexer Troubleshooting external indexers

Monitoring the status of the indexer services HTTP indexer configuration format

Using the Search (classic) interface

Searching audit trails: the SPS connection database

Connection details Replaying audit trails in your browser in Search (classic) Replaying encrypted audit trails in your browser Using the content search Connection metadata Using and managing search filters

Creating and saving filters for later use

The search and filter process

Displaying statistics on search results

Using the Search interface

Searching audit trails: the SPS connection database

Specifying time ranges Using the connection search Searching database fields Using the content query Displaying statistics on search results Analyzing data using One Identity Safeguard for Privileged Analytics The search and filter process

Viewing connection details Replaying audit trails in your browser Handling encrypted audit trails Creating report subchapters from search queries

Creating search-based report subchapters from search results Creating search-based report subchapters from scratch

Searching session data on a central node in a cluster Advanced authentication and authorization techniques

Configuring usermapping policies Configuring gateway authentication

Configuring out-of-band gateway authentication Performing out-of-band gateway authentication on SPS Performing inband gateway authentication in SSH and Telnet connections Performing inband gateway authentication in RDP connections Troubleshooting gateway authentication

Configuring four-eyes authorization

Configuring four-eyes authorization Performing four-eyes authorization on SPS

Using credential stores for server-side authentication

Configuring local Credential Stores Performing gateway authentication to RDP servers using local Credential Store and NLA Configuring password-protected Credential Stores Unlocking Credential Stores Using Lieberman ERPM to authenticate on the target hosts Using a custom Credential Store plugin to authenticate on the target hosts

Integrating external authentication and authorization systems

How Authentication and Authorization plugins work Authorizing connections to the target hosts with a SPS plugin Performing authentication with AA plugin in terminal connections Performing authentication with AA plugin in Remote Desktop connections Integrating ticketing systems

Performing authentication with ticketing integration in terminal connections Performing authentication with ticketing integration in Remote Desktop connections

Ingesting logs with SPS Creating a custom plugin

The available Python environment File structure of a plugin Plugin versioning Troubleshooting plugins

Contents of the operational reports Configuring custom reports Creating reports from audit trail content Creating statistics from custom database queries Database tables available for custom queries

The alerting table The aps table The archives table The audit_trail_downloads table The channels table The closed_connection_audit_channels view The closed_not_indexed_audit_channels view The connection_events view The connection_occurrences view The connections view The events table The file_xfer table The http_req_resp_pair table The indexer_jobs table The occurrences table The progresses table The results table The skipped_connections table The usermapped_channels view Querying trail content with the lucene-search function

Generating partial reports Creating PCI DSS reports Contents of PCI DSS reports

The SPS RPC API

Requirements for using the RPC API RPC client requirements Locking SPS configuration from the RPC API Documentation of the RPC API Enabling RPC API access to SPS

The SPS REST API SPS scenarios

Configuring public-key authentication on SPS

Configuring public-key authentication using local keys Configuring public-key authentication using an LDAP server and a fixed key Configuring public-key authentication using an LDAP server and generated keys

Organizing connections in non-transparent mode

Organizing connections based on port numbers Organizing connections based on alias IP addresses

Using inband destination selection in SSH connections

Using inband destination selection with PuTTY Using inband destination selection with OpenSSH Using inband selection and nonstandard ports with PuTTY Using inband selection and nonstandard ports with OpenSSH Using inband destination selection and gateway authentication with PuTTY Using inband destination selection and gateway authentication with OpenSSH

SSH usermapping and keymapping in AD with public key

Troubleshooting SPS

Network troubleshooting Gathering data about system problems Viewing logs on SPS Changing log verbosity level of SPS Collecting logs and system information for error reporting Status history and statistics

Connection statistics Memory Disk CPU Network connections Interface Load average Number of processes Displaying custom connection statistics

Troubleshooting a SPS cluster

Understanding SPS cluster statuses Recovering SPS if both nodes broke down Recovering from a split brain situation Replacing a HA node in a SPS cluster Resolving an IP conflict between cluster nodes

Understanding SPS RAID status Restoring SPS configuration and data VNC is not working with TLS Configuring the IPMI interface from the BIOS after losing IPMI password Incomplete TSA response received

Configuring external devices

Configuring advanced routing on Linux Configuring advanced routing on Cisco routers Configuring advanced routing on Sophos UTM (formerly Astaro Security Gateway) firewalls

Using SCP with agent-forwarding Security checklist for configuring SPS Jumplists for in-product help

Basic Settings > Management Basic Settings > Local Services Basic Settings > System <Protocol name> Control > Global Options

Third-party contributions

GNU General Public License

Preamble TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION

Section 0 Section 1 Section 2 Section 3 Section 4 Section 5 Section 6 Section 7 Section 8 Section 9 Section 10 NO WARRANTY Section 11 Section 12

How to Apply These Terms to Your New Programs

GNU Lesser General Public License License attributions

Basic Settings > System

Jumplists for in-product help > Basic Settings > System

Basic Settings > System > System control: For details, see Controlling SPS: reboot, shutdown.
Basic Settings > System > Traffic control: For details, see Disabling controlled traffic.
Basic Settings > System > Version details: For details, see Upgrading SPS (single node).
Basic Settings > System > Export configuration: For details, see Exporting the configuration of SPS.
Basic Settings > System > Import configuration: For details, see Importing the configuration of SPS.
Basic Settings > System > License: For details, see Managing the SPS license.
Basic Settings > System > Sealed mode: For details, see Sealed mode.
Basic Settings > System > Firmwares: For details, see Upgrading SPS (single node).

<Protocol name> Control > Global Options

Jumplists for in-product help > <Protocol name> Control > Global Options

<Protocol name> Control > Global Options > Traffic: For details, see Changing log verbosity level of SPS.
<Protocol name> Control > Global Options > Audit > Timestamping: For details, see:
<Protocol name> Control > Global Options > Audit > Delete search metadata from PSM after: For details, see Configuring cleanup for the SPS connection database.

Third-party contributions

Third-party contributions

This appendix includes the open source licenses and attributions applicable to One Identity Safeguard for Privileged Sessions.

GNU General Public License

Third-party contributions > GNU General Public License

Version 2, June 1991

1989, 1991 Free Software Foundation, Inc.

Free Software Foundation, Inc. 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA

Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed.

Version 2, June 1991

Related Documents

© 2021 One Identity LLC. ALL RIGHTS RESERVED. Feedback Terms of Use Privacy