Chat now with support
Chat with Support

One Identity Safeguard for Privileged Sessions 5.9.0 - Administration Guide

Preface Introduction The concepts of SPS The Welcome Wizard and the first login Basic settings User management and access control Managing SPS
Controlling SPS: reboot, shutdown Managing Safeguard for Privileged Sessions clusters Managing a high availability SPS cluster Upgrading SPS Managing the SPS license Accessing the SPS console Sealed mode Out-of-band management of SPS Managing the certificates used on SPS
General connection settings HTTP-specific settings ICA-specific settings RDP-specific settings SSH-specific settings Telnet-specific settings VMware Horizon View connections VNC-specific settings Indexing audit trails Using the Search (classic) interface Using the Search interface Searching session data on a central node in a cluster Advanced authentication and authorization techniques Reports The SPS RPC API The SPS REST API SPS scenarios Troubleshooting SPS Configuring external devices Using SCP with agent-forwarding Security checklist for configuring SPS Jumplists for in-product help Third-party contributions About us

Creating data backups

To configure data backups, assign a backup policy to the connection.

NOTE:

When exporting the configuration of SPS, or creating configuration backups, always use encryption. Handle the exported data with care, as it contains sensitive information, including credentials. For details on encrypting the configuration, see "Encrypting configuration backups with GPG" in the Administration Guide.

Prerequisites:
  • Configure the system backup. Restoring a data backup works only if a matching system configuration and metadata is available, that is, if a system backup is restored first. For details, see Creating configuration backups.

  • Configure a backup policy before starting this procedure. For details, see Data and configuration backups.

Steps:
  1. Navigate to [Your chosen protocol] Control > Connections.

  2. Select the connection you want to back up.

  3. Select a backup policy in the Backup policy field.

  4. Click Commit.

  5. Optional: To start the backup process immediately, click Backup or Backup ALL. The Backup and Backup ALL functionalities work only after a backup policy has been selected and committed.

Encrypting configuration backups with GPG

Purpose:

You can encrypt the configuration file of SPS during system backups using the public-part of a GPG key. The system backups of SPS contain other information as well (for example, databases), but only the configuration file is encrypted. Note that system backups do not contain audit-trail data.

When exporting the configuration of SPS, or creating configuration backups, always use encryption. Handle the exported data with care, as it contains sensitive information, including credentials. For details on encrypting the configuration, see "Encrypting configuration backups with GPG" in the Administration Guide.

For details on restoring configuration from a configuration backup, see Restoring SPS configuration and data.

NOTE:

It is not possible to directly import a GPG-encrypted configuration into SPS, it has to be decrypted locally first.

Prerequisites:

You have to configure a backup policy before starting this procedure. For details, see Data and configuration backups.

You need a GPG key which must be permitted to encrypt data. Keys that can be used only for signing cannot be used to encrypt the configuration file.

Steps:
  1. Navigate to Basic Settings > Management > System backup.

  2. Select Encrypt configuration.

  3. Click .

    • To upload a key file, click Browse, select the file containing the public GPG key, and click Upload. SPS accepts both binary and ASCII-armored GPG keys.

    • To copy-paste the key from the clipboard, copy it, paste it into the Key field, then click Set.

  4. Click Commit.

Archiving and cleanup

Archiving transfers data from SPS to an external storage solution, cleanup removes (deletes) old files. Archived data can be accessed and searched, but cannot be restored (moved back) to the SPS appliance. Only those closed audit-trail files are archived where the retention time has already elapsed.

To configure archiving and cleanup, you first have to create an archive/cleanup policy. Archive/cleanup policies define the retention time, the address of the remote backup server, which protocol to use to access it, and other parameters. SPS can be configured to use the SMB/CIFS and NFS protocols to access the backup server:

Caution:

Hazard of data loss! Never delete an Archive Policy if data has been archived with it. This will make the already archived data inaccessible.

Do not "remake" an Archive Policy (that is, deleting an Archive Policy and then creating another one with the same name but different parameters). This will make data inaccessible, and identifying the root cause of the issue complicated.

If you want to change the connection parameters (that is when you perform a storage server migration), you must make sure that the share contents and file permissions are kept unmodified and there are no archiving or backup tasks running.

On the other hand, if you want to add a new network share to your archives, proceed with the following steps:

  1. Create a new empty SMB/NFS network share.

  2. Create a new Archive Policy that points to this network share.

  3. Modify your Connection Policy(es) to archive using the newly defined Archive Policy.

  4. Make sure to leave the existing Archive Policy unmodified.

It is also safe to extend the size of the network share on the server side.

The different protocols assign different file ownerships to the files saved on the remote server. The owners of the archives created using the different protocols are the following:

  • SMB/CIFS: The user provided on the web interface.

  • NFS: root with no-root-squash, nobody otherwise.

Caution:

SPS cannot modify the ownership of a file that already exists on the remote server.

Once you have configured an archive/cleanup policy, assign it to the connection you want to archive. For details, see Archiving or cleaning up the collected data.

Data about archived connections can be automatically deleted from the connection database. For details, see Configuring cleanup for the SPS connection database.

Creating a cleanup policy

Cleanup permanently deletes all audit trails and data that is older than Delete data from PSM after without creating a backup copy or an archive. Such data is irrecoverably lost. Use this option with care.

NOTE:

This policy does not delete existing archives from an external CIFS or NFS server.

  1. Navigate to Policies > Backup & Archive/Cleanup and click in the Archive/Cleanup policies section to create a new cleanup policy.

  2. Enter a name for the cleanup policy.

  3. Enter the time when the cleanup process should start into the Start time field in HH:MM format (for example 23:00).

    You can add the start time for additional cleanup processes.

    Caution:

    When specifying an additional start time, ensure that the previous cleanup process finishes before the new cleanup process starts.

  4. To cleanup the data collected on SPS more than once a day, click . You can schedule multiple cleanup times.

    NOTE:

    In case a cleanup process is not finished before the next one would start, the next cleanup process waits for the previous process to be completed.

  5. Fill the Delete data from PSM after field. Data older than this value is deleted from SPS.

  6. To receive e-mail notifications, select the Send notification on errors only or the Send notification on all events option. Notifications are sent to the administrator e-mail address set on the Management tab, and include the list of the files that were backed up.

    NOTE:

    This e-mail notification is different from the one set on the Alerting & Monitoring tab. This notification is sent to the administrator's e-mail address, while the alerts are sent to the alert e-mail address (see Configuring system monitoring on SPS).

  7. Click Commit.

  8. To assign the cleanup policy to the connection you want to clean up, see Archiving or cleaning up the collected data.

Related Documents