Chat now with support
Chat with Support

One Identity Safeguard for Privileged Sessions 5.9.0 - Administration Guide

Preface Introduction The concepts of SPS The Welcome Wizard and the first login Basic settings User management and access control Managing SPS
Controlling SPS: reboot, shutdown Managing Safeguard for Privileged Sessions clusters Managing a high availability SPS cluster Upgrading SPS Managing the SPS license Accessing the SPS console Sealed mode Out-of-band management of SPS Managing the certificates used on SPS
General connection settings HTTP-specific settings ICA-specific settings RDP-specific settings SSH-specific settings Telnet-specific settings VMware Horizon View connections VNC-specific settings Indexing audit trails Using the Search (classic) interface Using the Search interface Searching session data on a central node in a cluster Advanced authentication and authorization techniques Reports The SPS RPC API The SPS REST API SPS scenarios Troubleshooting SPS Configuring external devices Using SCP with agent-forwarding Security checklist for configuring SPS Jumplists for in-product help Third-party contributions About us

Configuring the IPMI interface from the BIOS

Purpose:

To configure IPMI from the BIOS when configuring your SPS physical appliance for the first time, complete the following steps.

Prerequisites:

To apply the procedure outlined here, you will need physical access to a monitor and keyboard.

Steps:
  1. Press the DEL button when the POST screen comes up while the appliance is booting.

    Figure 109: POST screen during booting

  2. In the BIOS, navigate to the IPMI page.

  3. On the IPMI page, select BMC Network Configuration, and press Enter.

    Figure 110: IPMI page > BMC Network Configuration option

  4. On the BMC Network Configuration page, select Update IPMI LAN Configuration, press Enter, and select Yes.

    Figure 111: BMC Network Configuration page > Update IPMI LAN Configuration

  5. Stay on the BMC Network Configuration page, select Configuration Address Source, press Enter, and select Static.

    Figure 112: BMC Network Configuration page > Configuration Address Source

  6. Still on the BMC Network Configuration page, configure the Station IP Address, Subnet Mask, and Gateway IP Address individually.

    Figure 113: BMC Network Configuration page > Station IP Address, Subnet Mask, Gateway IP Address

  7. Press F4 to save the settings, and exit from the BIOS.

    About a minute later, you will be able to log in on the IPMI web interface.

Managing the certificates used on SPS

SPS uses a number of certificates for different tasks that can be managed from the Basic Settings > Management > SSL certificates menu.

Figure 114: Basic Settings > Management > SSL certificates — Changing the web certificate of SPS

The following certificates can be modified here:

  • CA certificate: The certificate of the internal Certificate Authority of SPS.

  • Server certificate: The certificate of the SPS web interface, used to encrypt the communication between SPS and the administrators.

    NOTE:

    If this certificate is changed, the browser of SPS users will display a warning stating that the certificate of the site has changed.

  • TSA certificate: The certificate of the internal Timestamping Authority that provides the timestamps used when creating encrypted audit-trails.

NOTE:

SPS uses other certificates for different purposes that are not managed here, for example, to encrypt data stored on SPS. For details, see Encrypting audit trails.

Use every keypair or certificate only for one purpose. Do not reuse cryptographic keys or certificates, for example, do not use the certificate of the SPS webserver to encrypt audit trails, or do not use the same keypair for signing and encrypting data.

For every certificate, the distinguished name (DN) of the X.509 certificate and the fingerprint of the private key is displayed. To display the entire certificate click on the DN. To display the public part of the private key, click on the fingerprint. It is not possible to download the private key itself from the SPS web interface, but the public part of the key can be downloaded in different formats (for example PEM, DER, or OpenSSH). Also, the X.509 certificate can be downloaded in PEM and DER formats.

During the initial configuration, SPS creates a self-signed CA certificate, and uses this CA to issue the certificate of the web interface (see Server certificate) and the internal Timestamping Authority (TSA certificate).

There are two methods to manage certificates of SPS:

  • Recommended: Generate certificates using your own PKI solution and upload them to SPS.

    Generate a CA certificate and two other certificates signed with this CA using your PKI solution and upload them to SPS. For the Server and TSA certificates, upload the private key as well. One Identity recommends using 2048-bit RSA keys (or stronger), and to use certificates that have the appropriate keyUsage or extendedKeyUsage fields set (for example, extendedKeyUsage=serverAuth for the SPS web server certificate).

    For details on uploading certificates and keys created with an external PKI, complete Uploading external certificates to SPS.

    Caution:

    The Server and the TSA certificates must be issued by the same Certificate Authority.

  • Use the certificates generated on SPS. In case you want to generate new certificates and keys for SPS using its self-signed CA certificate, or generate a new self-signed CA certificate, complete Generating certificates for SPS.

    NOTE:

    Generate certificates using your own PKI solution and upload them to SPS whenever possible. Certificates generated on SPS cannot be revoked, and can become a security risk if they are somehow compromised.

Generating certificates for SPS

Purpose:

Create a new certificate for the SPS webserver or the Timestamping Authority using the internal CA of SPS, or create a new, self-signed CA certificate for the internal Certificate Authority of SPS.

One Identity recommends using 2048-bit RSA keys (or stronger).

Steps:
  1. Navigate to Basic Settings > Management > SSL certificates.

  2. Fill the fields of the new certificate:

    1. Country: Select the country where SPS is located (for example HU - Hungary).

    2. Locality name: The city where SPS is located (for example Budapest).

    3. Organization name: The company who owns SPS (for example Example Inc.).

    4. Organization unit name: The division of the company who owns SPS (for example IT Security Department).

    5. State or Province name: The state or province where SPS is located.

  3. Select the certificate you want to generate.

    • To create a new certificate for the SPS web interface, select Generate Server.

    • To create a new certificate for the Timestamping Authority, select Generate TSA.

    • To create a new certificate for the internal Certificate Authority of SPS, select Generate All. Note that in this case new certificates are created automatically for the server and TSA certificates as well.

    NOTE:

    When generating new certificates, the server and TSA certificates are signed using the certificate of the CA. If you have uploaded an external CA certificate along with its private key, it will be used to create the new server and TSA certificates. If you have uploaded an external CA certificate without its private key, use your external PKI solution to generate certificates and upload them to SPS.

    Caution:

    Generating a new certificate automatically deletes the earlier certificate.

  4. Click Commit.

Uploading external certificates to SPS

Purpose:

Upload a certificate generated by an external PKI system to SPS.

Prerequisites:

The certificate to upload. For the TSA X.509 Certificate and Server X.509 Certificate, the private key of the certificate is needed as well. The certificates must meet the following requirements:

  • SPS accepts certificates in PEM format. The DER format is currently not supported.

  • SPS accepts private keys in PEM (RSA and DSA), and PUTTY format. Password-protected private keys are also supported.

    NOTE:

    SPS accepts passwords that are not longer than 150 characters. The following special characters can be used: !"#$%&'()*+,-./:;<=>?@[\]^-`{|}

    For the internal CA certificate of SPS, uploading the private key is not required.

  • For the TSA certificate, the X509v3 Extended Key Usage attribute must be enabled and set to critical. Also, its default value must be set to Time Stamping.

  • For the Server certificate, the X509v3 Extended Key Usage attribute must be enabled and its default value set to TLS Web Server Authentication. Also, the Common Name of the certificate must contain the domain name or the IP address of the SPS host. If the web interface is accessible from multiple interfaces or IP addresses, list every IP address using the Subject Alt Name option.

  • For the certificate used to sign audit trails, the X509v3 Extended Key Usage attribute must be enabled and its default value set to Sign (downloadable) executable code.

One Identity recommends using 2048-bit RSA keys (or stronger).

Steps:
  1. Navigate to Basic Settings > Management > SSL certificates.

  2. Click to upload the new certificate. A pop-up window is displayed.

    Figure 115: Basic Settings > Management > SSL certificates — Uploading certificates

    Select Browse, select the file containing the certificate, and click Upload.

    For the Server X.509 Certificate:

    For the Server X.509 Certificate, you can also upload a certificate chain. For that, copy the certificates after each other in a single file. Alternatively, you can copy and paste the certificates one by one after each other into the Certificate field and click Set. The certificates do not have to be in order, SPS will order them and validate the chain: if a member of the chain is missing, an error message is displayed.

    NOTE:

    Certificate chains are supported only for the Server X.509 Certificate.

  3. To upload the private key corresponding to the certificate, click icon. A pop-up window is displayed.

    Figure 116: Basic Settings > Management > SSL certificates — Uploading the private key

    Select Browse, select the file containing the private key, provide the Password if the key is password-protected, and click Upload. Alternatively, you can also copy-paste the private key into the Key field, provide the Password there, and click Set.

    In the case of a certificate chain, the private key has to be the same as the bottom level certificate.

    Expected result:

    The new certificate is uploaded. If you receive the Certificate issuer mismatch error message after importing a certificate, you must import the CA certificate which signed the certificate as well (the private key of the CA certificate is not mandatory).

    NOTE:

    To download previously uploaded certificates, click on the certificate and either download the certificate (or certificate chain) in one single PEM or DER file, or you can download single certificate files separately (if it is a certificate chain).

Related Documents