Chat now with support
Chat with Support

One Identity Safeguard for Privileged Sessions 5.9.0 - Administration Guide

Preface Introduction The concepts of SPS The Welcome Wizard and the first login Basic settings User management and access control Managing SPS
Controlling SPS: reboot, shutdown Managing Safeguard for Privileged Sessions clusters Managing a high availability SPS cluster Upgrading SPS Managing the SPS license Accessing the SPS console Sealed mode Out-of-band management of SPS Managing the certificates used on SPS
General connection settings HTTP-specific settings ICA-specific settings RDP-specific settings SSH-specific settings Telnet-specific settings VMware Horizon View connections VNC-specific settings Indexing audit trails Using the Search (classic) interface Using the Search interface Searching session data on a central node in a cluster Advanced authentication and authorization techniques Reports The SPS RPC API The SPS REST API SPS scenarios Troubleshooting SPS Configuring external devices Using SCP with agent-forwarding Security checklist for configuring SPS Jumplists for in-product help Third-party contributions About us

Performing authentication with ticketing integration in terminal connections

Purpose:

To establish a terminal connection (SSH, TELNET, or TN3270) to a server that requires you to enter a ticket ID, complete the following steps.

Steps:
  1. Connect to the server.

    You have the option to use the ID of the ticket you are working on as part of the username (replace id with the ticket ID):

    ssh ticket_id=id@user@server

    NOTE:

    Your plugin may use a different name for the key ticket_id shown in the example. Plugins work with key-value pairs and the names of keys are entirely up to individual plugins.

  2. If you did not provide a ticket ID, SPS now prompts you to enter it.

  3. Authenticate on the server.

  4. If the authentication is successful, you can access the server.

Performing authentication with ticketing integration in Remote Desktop connections

Purpose:

To establish a Remote Desktop (RDP) connection to a server that requires you to enter a ticket ID, complete the following steps.

Steps:
  1. Open your Remote Desktop client application.

  2. Enter the ticket ID into your Remote Desktop client application into the User name field, before or after the regular content (for example, your username) of the field. You must provide the ticket ID in the following format:

    ticket_id~<your-ticket-id>%

    Replace <your-ticket-id> with your actual ticket number. For example:

    ticket_id~12345%Administrator

    NOTE:

    Your plugin may use a different name for the key ticket_id shown in the example. Plugins work with key-value pairs and the names of keys are entirely up to individual plugins.

    To encode additional data, you can use the following special characters:

    • % as a field separator

    • ~ as the equal sign

    • ^ as a colon (for example, to specify the port number or an IPv6 IP address)

    For example, to add a token ID before your username, use the following format:

    domain\token_id~12345%Administrator

    Note how domain information is provided. If your server is in a domain, make sure that you specify the domain in this format: putting it in front, followed by a backslash (\).

  3. Connect to the server.

  4. Authenticate on the server.

  5. If the authentication is successful, you can access the server.

Ingesting logs with SPS

Purpose:

With log ingestion activated, SPS can ingest and process logs arriving through syslog protocol from an external source. These logs can be displayed as sessions in the Search interface.

Prerequisites:

The SPS syslog-ng destination receives the logs sent through a TCP connection. To ensure that the logs are parsed correctly, it is necessary to use a log adapter plugin. A log adapter plugin can be:

  • Either a plugin that is available for download in the Plugin section on the One Identity Safeguard for Privileged Sessions - Download Software page.

    Currently, the following log adapter plugins are available:

    • Windows log adapter plugin: This plugin parses Windows logs if they were forwarded by syslog-ng Agent for Windows. Login and logout events, as well as executed commands are processed to be shown as sessions alongside recordings made by SPS.

      To ensure that executed commands are extracted from Windows logs, edit the Audit process tracking key and enable both Success and Failure events auditing under Security Setting > Local Policies > Audit Policy within you Security Policy Editor on the Windows server where the sessions are taking place.

    • SSHD log adapter plugin: This plugin parses event logs from SSHD services running on Unix servers. Login and logout events are processed to be shown as sessions alongside the recordings made by SPS.

  • Or a plugin written for you.

    To request a log adapter plugin, contact our Support Team.

Steps:
  1. To configure log ingestion, navigate to Basic Settings > Local Services > Log ingestion and select Enable.

    Figure 256: Basic Settings > Local Services > Log ingestion — Configuring log ingestion

  2. Configure a log forwarder (preferably syslog-ng Premium Edition) on the sender machine to forward logs to the Listening address of SPS.

  3. In the Listening addresses section, enter the IP address and ports of the server that listen for incoming logs. It is advised to enter a higher port number, because this port will be open for external traffic.

  4. If the sender side uses packet framing when sending log messages select Framing.

  5. To verify the identity of the client, configure Client verification:

    • Disabled: Do not request client verification.

    • Without certificate validation: Require client certificate, but do not check certificate validity.

    • With certificate validation: Require client certificate and check certificate validity.

      Select the Trusted client CAs from the list that you have configured in Policies > Trusted CA Lists.

      On the client side, configure a server certificate, that is, the SSL certificate of SPS in this case. To download this certificate, navigate to Basic Settings > Management > SSL certificates. For details on configuring the client side, see Configuring TLS on the syslog-ng clients.

  6. To resolve server and client names in the incoming log messages to IP addresses, select Host resolving.
  7. To upload a log adapter plugin, navigate to Basic Settings > Plugins, browse for the file and click Upload. Note that it is not possible to upload or delete plugins if SPS is in sealed mode.

    You can also upload the log adapter plugin through REST.

Creating a custom plugin

The following sections give a brief overview on custom Credential Store and AA plugins. For details on using an existing plugin, see Using a custom Credential Store plugin to authenticate on the target hosts and Authorizing connections to the target hosts with a SPS plugin. If you want to create such plugins, contact our Support Team.

A plugin is a Python script or a Python bundle. The bundle can contain any number of files, including pure Python modules, but the uncompressed size of the bundle cannot exceed 20 megabytes. The plugin uses the standard input and output (stdin and stdout) for communication, and exits immediately after it prints the result to the standard output. The plugin runs in synchronous, blocking mode.

Related Documents