Chat now with support

Get Live Help
Complete Registration

Sign In

Request Pricing

Contact Sales

One Identity Safeguard for Privileged Sessions 6.10.0 - Administration Guide

Table of Contents

Preface Introduction

The major benefits of One Identity Safeguard for Privileged Sessions (SPS) Application areas

The concepts of One Identity Safeguard for Privileged Sessions (SPS)

The philosophy of One Identity Safeguard for Privileged Sessions (SPS) Policies Credential Stores Plugin framework Indexing Supported protocols and client applications

HTTP ICA MSSQL Remote Desktop Gateway Server Protocol (RDGSP) Remote Desktop Protocol (RDP) Secure Shell Protocol (SSH) Telnet VMware Horizon View Virtual Network Computing (VNC)

Modes of operation

Transparent mode Single-interface transparent mode Non-transparent mode Inband destination selection

Connecting to a server through One Identity Safeguard for Privileged Sessions (SPS)

Connecting to a server through One Identity Safeguard for Privileged Sessions (SPS) using SSH Connecting to a server through One Identity Safeguard for Privileged Sessions (SPS) using RDP Connecting to a server through One Identity Safeguard for Privileged Sessions (SPS) using an RD Gateway

Archive and backup concepts

Configuration export System backup Connection backup Connection archive Support bundle Debug logs Connection logs Core dump files

Maximizing the scope of auditing IPv6 in One Identity Safeguard for Privileged Sessions (SPS) SSH host keys Authenticating clients using public-key authentication in SSH The gateway authentication process Four-eyes authorization Network interfaces High Availability support in One Identity Safeguard for Privileged Sessions (SPS)

Firmware and High Availability

Versions and releases of One Identity Safeguard for Privileged Sessions (SPS) Accessing and configuring One Identity Safeguard for Privileged Sessions (SPS)

The Welcome Wizard and the first login

The initial connection to One Identity Safeguard for Privileged Sessions (SPS)

Creating an alias IP address (Microsoft Windows) Creating an alias IP address (Linux) Modifying the IP address of One Identity Safeguard for Privileged Sessions (SPS)

Configuring One Identity Safeguard for Privileged Sessions (SPS) with the Welcome Wizard Logging in to One Identity Safeguard for Privileged Sessions (SPS) and configuring the first connection

Supported web browsers and operating systems The structure of the web interface

Elements of the main workspace Multiple users and locking Web interface timeout Authentication banner Preferences Change password Audit keystore

Adding the first private key to your audit keystore Adding further private keys to your audit keystore Unlocking your audit keystore Deleting a private key from your audit keystore

Network settings

Configuring user and administrator login addresses

Protecting against brute-force attacks

Managing logical interfaces Routing uncontrolled traffic between logical interfaces Configuring the routing table

Configuring date and time System logging, SNMP and e-mail alerts

Configuring system logging Configuring e-mail alerts Configuring SNMP alerts Querying SPS status information using agents Customize system logging in One Identity Safeguard for Privileged Sessions (SPS)

Configuring system monitoring on SPS

Configuring monitoring Health monitoring Preventing disk space fill-up System related traps Traffic related traps

Data and configuration backups

Creating a backup policy using Rsync over SSH Creating a backup policy using SMB/CIFS Creating a backup policy using NFS Creating configuration backups Creating data backups Encrypting configuration backups with GPG

Archiving and cleanup

Creating a cleanup policy Creating an archive policy using SMB/CIFS Creating an archive policy using NFS Archiving or cleaning up the collected data

Uploading plugins Verifying the integrity of a plugin

Forwarding data to third-party systems

[Deprecated] Using the Splunk forwarder Universal SIEM Forwarder

Message types forwarded to SIEMs Message format forwarded to SIEMs

CEF JSON JSON-CIM CEF messages JSON messages JSON_CIM messages

Starling integration

Joining SPS to One Identity Starling Unjoining SPS from One Identity Starling

User management and access control

Managing One Identity Safeguard for Privileged Sessions (SPS) users locally

Creating local users in One Identity Safeguard for Privileged Sessions (SPS) Deleting a local user from One Identity Safeguard for Privileged Sessions (SPS)

Setting password policies for local users Managing local user groups Managing One Identity Safeguard for Privileged Sessions (SPS) users from an LDAP database

Common to all backends Active Directory LDAP backend POSIX LDAP backend

Authenticating users to a RADIUS server Authenticating users with X.509 certificates Managing user rights and usergroups

Assigning privileges to user groups for the One Identity Safeguard for Privileged Sessions (SPS) web interface Modifying group privileges Finding specific usergroups Using usergroups Built-in usergroups of One Identity Safeguard for Privileged Sessions (SPS)

Creating rules for restricting access to search audit data Displaying the privileges of users and user groups Listing and searching configuration changes

Using the internal search interface

Filtering Exporting the results Customizing columns of the internal search interface

Managing One Identity Safeguard for Privileged Sessions (SPS)

Controlling One Identity Safeguard for Privileged Sessions (SPS): reboot, shutdown

Disabling controlled traffic Disabling controlled traffic permanently

Managing Safeguard for Privileged Sessions (SPS) clusters

Cluster roles Enabling cluster management Creating a cluster Joining to a cluster Assigning roles to nodes in your cluster Configuration synchronization across nodes in a cluster

Configuration synchronization and SSH keys Using a configuration synchronization plugin

Monitoring the status of nodes in your cluster Updating the IP address of a node in a cluster Managing a cluster with configuration synchronization without central search Managing a cluster with central search configuration and configuration synchronization

Managing a High Availability One Identity Safeguard for Privileged Sessions (SPS) cluster

HA cluster configuration and management options Adjusting the synchronization speed Redundant heartbeat interfaces Next-hop router monitoring

Upgrading One Identity Safeguard for Privileged Sessions (SPS)

Upgrade checklist Upgrading One Identity Safeguard for Privileged Sessions (SPS) (single node) Upgrading a High Availability One Identity Safeguard for Privileged Sessions (SPS) cluster Troubleshooting Exporting the configuration of One Identity Safeguard for Privileged Sessions (SPS) Importing the configuration of One Identity Safeguard for Privileged Sessions (SPS)

Managing the One Identity Safeguard for Privileged Sessions (SPS) license

Updating the SPS license

Accessing the One Identity Safeguard for Privileged Sessions (SPS) console

Using the console menu of One Identity Safeguard for Privileged Sessions (SPS) Enabling SSH access to the One Identity Safeguard for Privileged Sessions (SPS) host Changing the root password of One Identity Safeguard for Privileged Sessions (SPS) Firmware update using SSH Exporting and importing the configuration of One Identity Safeguard for Privileged Sessions (SPS) using the console

Disabling sealed mode

Out-of-band management of One Identity Safeguard for Privileged Sessions (SPS)

Configuring the IPMI from the console Configuring the IPMI from the BIOS

Managing the certificates used on One Identity Safeguard for Privileged Sessions (SPS)

Generating certificates for One Identity Safeguard for Privileged Sessions (SPS) Uploading external certificates to One Identity Safeguard for Privileged Sessions (SPS) Generating TSA certificate with Windows Certificate Authority on Windows Server 2008 Generating TSA certificate with Windows Certificate Authority on Windows Server 2012

General connection settings

Configuring connections Modifying the destination address Configuring inband destination selection Modifying the source address Creating and editing channel policies Real-time content monitoring with Content Policies

Creating a new content policy

Configuring time policies Creating and editing user lists Authenticating users to an LDAP server Audit policies

Encrypting audit trails Timestamping audit trails with built-in timestamping service Timestamping audit trails with external timestamping service Digitally signing audit trails

Verifying certificates with Certificate Authorities Verifying certificates with Certificate Authorities using trust stores Signing certificates on-the-fly

Creating an external Signing CA

Creating a Local User Database Configuring cleanup for the One Identity Safeguard for Privileged Sessions (SPS) connection database

HTTP-specific settings

Supported HTTP channel types Limitations in handling HTTP connections Authentication in HTTP and HTTPS Creating a new HTTP authentication policy Setting up HTTP connections

Setting up a transparent HTTP connection Enabling One Identity Safeguard for Privileged Sessions (SPS) to act as a HTTP proxy Enabling TLS encryption in HTTP Configuring half-sided SSL encryption in HTTP

Session-handling in HTTP Creating and editing protocol-level HTTP settings

ICA-specific settings

Setting up ICA connections Supported ICA channel types Creating and editing protocol-level ICA settings One Identity Safeguard for Privileged Sessions (SPS) deployment scenarios in a Citrix environment Troubleshooting Citrix-related problems

MSSQL-specific settings

Setting up MSSQL connections

Limitations in handling MSSQL connections

Supported MSSQL channel types Authentication in MSSQL

Creating a new MSSQL authentication policy

Creating and editing protocol-level MSSQL settings Enabling TLS-encryption for MSSQL connections

RDP-specific settings

Supported RDP channel types Creating and editing protocol-level RDP settings Network Level Authentication (NLA) with One Identity Safeguard for Privileged Sessions (SPS)

Network Level Authentication (NLA) with domain membership Using One Identity Safeguard for Privileged Sessions (SPS) across multiple domains

Verifying the certificate of the RDP server in encrypted connections Enabling TLS-encryption for RDP connections Using One Identity Safeguard for Privileged Sessions (SPS) as a Remote Desktop Gateway Configuring Remote Desktop clients for gateway authentication Inband destination selection in RDP connections Usernames in RDP connections Saving login credentials for RDP on Windows Configuring RemoteApps Configuring SPS to enable exporting files from audit trails after RDP file transfer through clipboard or disk redirection

SSH-specific settings

Setting the SSH host keys of the connection

Setting the SSH host keys accepted on the server side Setting the SSH host keys offered to the clients

Supported SSH channel types Authentication Policies

Creating a new authentication policy Client-side authentication settings

Local client-side authentication

Relayed authentication methods Configuring your Kerberos environment Kerberos authentication settings

Server host keys

Automatically adding the host keys of a server to One Identity Safeguard for Privileged Sessions (SPS) Manually adding the host key of a server

Creating and editing protocol-level SSH settings Supported encryption algorithms

Using Sudo with SPS

Setting up Sudo connections in SPS Configuring Sudo

Telnet-specific settings

Enabling TLS-encryption for Telnet connections Creating a new Telnet authentication policy Extracting username from Telnet connections Creating and editing protocol-level Telnet settings Inband destination selection in Telnet connections

VMware Horizon View connections

One Identity Safeguard for Privileged Sessions (SPS) deployment scenarios in a VMware environment

VNC-specific settings

Enabling TLS-encryption for VNC connections Creating and editing protocol-level VNC settings

Indexing audit trails

Configuring the internal indexer Configuring external indexers

Prerequisites and limitations Hardware requirements for the external indexer host Configuring One Identity Safeguard for Privileged Sessions (SPS) to use external indexers Installing the external indexer Configuring the external indexer Uploading decryption keys to the external indexer Configuring a hardware security module (HSM) or smart card to integrate with external indexer

Setting up and testing the environment Encrypting a PKCS#11 PIN Starting and restarting the external-indexer service when using a custom password for PKCS#11 PIN encryption Configuring SoftHSM Configuring AWS CloudHSM Configuring a smart card

Customizing the indexing of HTTP traffic Starting the external indexer Disabling indexing on One Identity Safeguard for Privileged Sessions (SPS) Managing the indexers Upgrading the external indexer Troubleshooting external indexers

Monitoring the status of the indexer services HTTP indexer configuration format

HTTP indexer configuration options

Using the Search interface

Adding custom fields to the card view

Table view Flow view Search Permissions Specifying time ranges Using search queries

List of available search queries

Searching in the contents of audit trails Audit trail downloads information on the Search interface Displaying statistics on search results Analyzing data using One Identity Safeguard for Privileged Analytics The search and filter process Viewing session details

Viewing session details for data recorded by SPS Viewing session details for data recorded by SPP Visualizing Frequent Item Sets on the FIS flow view

Replaying audit trails in your browser Using the browser to play video files Viewing encrypted screenshots Replaying encrypted audit trails in your browser Following active sessions Creating report subchapters

Creating search-based report subchapters from search results Creating search-based report subchapters from scratch

Search interface changes between version 5.0 and 6.0 Searching session data on a central node in a cluster

Advanced authentication and authorization techniques

Configuring usermapping policies Configuring gateway authentication

Configuring out-of-band gateway authentication Performing out-of-band gateway authentication on One Identity Safeguard for Privileged Sessions (SPS) Performing inband gateway authentication in SSH and Telnet connections Performing inband gateway authentication in RDP connections Troubleshooting gateway authentication

Configuring four-eyes authorization

Configuring four-eyes authorization Performing four-eyes authorization on One Identity Safeguard for Privileged Sessions (SPS)

Using credential stores for server-side authentication

Configuring local Credential Stores Performing gateway authentication to RDP servers using local Credential Store and NLA Configuring password-protected Credential Stores Unlocking Credential Stores Using a custom Credential Store plugin to authenticate on the target hosts

Integrating external authentication and authorization systems

How Authentication and Authorization plugins work Using a custom Authentication and Authorization plugin to authenticate on the target hosts Performing authentication with AA plugin in terminal connections Performing authentication with AA plugin in Remote Desktop connections Integrating ticketing systems

Performing authentication with ticketing integration in terminal connections Performing authentication with ticketing integration in Remote Desktop connections

Creating a custom plugin Plugin troubleshooting

Contents of the operational reports Configuring custom reports Creating report subchapters

Creating reports from audit trail content Creating search-based report subchapters from search results Creating search-based report subchapters from scratch Creating statistics from custom database queries Database tables available for custom queries

The alerting table The aps table The archives table The audit_trail_downloads table The channels table The closed_connection_audit_channels view The closed_not_indexed_audit_channels view The connection_events view The connection_occurrences view The connections view The events table The file_xfer table The http_req_resp_pair table The indexer_jobs table The occurrences table The progresses table The results table The skipped_connections table The usermapped_channels view Querying trail content with the lucene-search function

Creating PCI DSS reports Contents of PCI DSS reports Report output

The One Identity Safeguard for Privileged Sessions (SPS) RPC API

Requirements for using the RPC API RPC client requirements Locking One Identity Safeguard for Privileged Sessions (SPS) configuration from the RPC API Documentation of the RPC API Enabling RPC API access to One Identity Safeguard for Privileged Sessions (SPS)

The One Identity Safeguard for Privileged Sessions (SPS) REST API One Identity Safeguard for Privileged Sessions (SPS) scenarios

Configuring public-key authentication on One Identity Safeguard for Privileged Sessions (SPS)

Configuring public-key authentication using local keys Configuring public-key authentication using an LDAP server and a fixed key Configuring public-key authentication using an LDAP server and generated keys

Organizing connections in non-transparent mode

Organizing connections based on port numbers Organizing connections based on alias IP addresses

Using inband destination selection in SSH connections

Using inband destination selection with PuTTY Using inband destination selection with OpenSSH Using inband selection and nonstandard ports with PuTTY Using inband selection and nonstandard ports with OpenSSH Using inband destination selection and gateway authentication with PuTTY Using inband destination selection and gateway authentication with OpenSSH

SSH usermapping and keymapping in AD with public key

Troubleshooting One Identity Safeguard for Privileged Sessions (SPS)

Network troubleshooting Gathering data about system problems Viewing logs on One Identity Safeguard for Privileged Sessions (SPS) Changing log verbosity level of One Identity Safeguard for Privileged Sessions (SPS) Collecting logs and system information for error reporting Collecting logs and system information of the boot process for error reporting Support hotfixes Status history and statistics

Connection statistics Memory Disk CPU Network connections Interface Load average Number of processes Displaying custom connection statistics

Troubleshooting a One Identity Safeguard for Privileged Sessions (SPS) cluster

Understanding One Identity Safeguard for Privileged Sessions (SPS) cluster statuses Recovering One Identity Safeguard for Privileged Sessions (SPS) if both nodes broke down Recovering from a split brain situation Replacing a HA node in a One Identity Safeguard for Privileged Sessions (SPS) cluster Resolving an IP conflict between cluster nodes

Understanding One Identity Safeguard for Privileged Sessions (SPS) RAID status Restoring One Identity Safeguard for Privileged Sessions (SPS) configuration and data VNC is not working with TLS Configuring the IPMI from the BIOS after losing IPMI password Incomplete TSA response received Using UPN usernames in audited SSH connections

Using SPS with SPP

Configuring the Passwords-initiated workflow

Configuring SPP for Passwords-initiated workflow

Configuring the Sessions-initiated workflow

Configuring SPP for Sessions-initiated workflow Configuring SPS for Sessions-initiated workflow

Linking SPS to SPP Troubleshooting the SPS to SPP link

SPP to SPS link error resolution SPP to SPS link issues

Configuring external devices

Configuring advanced routing on Linux Configuring advanced routing on Cisco routers Configuring advanced routing on Sophos UTM (formerly Astaro Security Gateway) firewalls

Using SCP with agent-forwarding Security checklist for configuring One Identity Safeguard for Privileged Sessions (SPS)

Encryption-related settings Connection policies Appliance access Networking considerations

Jumplists for in-product help

Basic Settings > Management Basic Settings > Local Services Basic Settings > System <Protocol name> Control > Global Options

Configuring SPS to use an LDAP backend

LDAP user and group resolution in SPS

Overview Common to all backends POSIX LDAP backend Active Directory LDAP backend

Appliance access

Security checklist for configuring One Identity Safeguard for Privileged Sessions (SPS) > Appliance access

Accessing the One Identity Safeguard for Privileged Sessions (SPS) host directly using SSH is not recommended or supported, except for troubleshooting purposes. In such case, the One Identity Support Team will give you exact instructions on what to do to solve the problem.

For security reasons, disable SSH access to SPS when it is not needed. For details, see "Enabling SSH access to the One Identity Safeguard for Privileged Sessions (SPS) host" in the Administration Guide.
Permit administrative access to SPS only from trusted networks. If possible, monitored connections and administrative access to the SPS web interface should originate from separate networks.
Configure SPS to send an alert if a user fails to login to SPS. For details, see the Login failed alert in "System related traps" in the Administration Guide.
Configure Disk space fill-up prevention, and configure SPS to send an alert if the free space on the disks of SPS is low. For details, see "Preventing disk space fill-up" in the Administration Guide.

Networking considerations

Security checklist for configuring One Identity Safeguard for Privileged Sessions (SPS) > Networking considerations

One Identity Safeguard for Privileged Sessions (SPS) stores sensitive data. Use a firewall and other appropriate controls to ensure that unauthorized connections cannot access it.
If possible, enable management access to SPS only from trusted networks.
Make sure that the HA interface of SPS is connected to a trusted network.

Jumplists for in-product help

Jumplists for in-product help

To find the documentation for a specific UI element, browse the following sections.

Topics:

Basic Settings > Management

Basic Settings > Local Services

Basic Settings > System

<Protocol name> Control > Global Options

Basic Settings > Management

Jumplists for in-product help > Basic Settings > Management

Basic Settings > Management > Syslog: For details, see Configuring system logging.
Basic Settings > Management > SNMP trap settings: For details, see Configuring SNMP alerts.
Basic Settings > Management > Mail settings: For details, see Configuring e-mail alerts.
Basic Settings > Management > Web interface timeout: For details, see Web interface timeout.
Basic Settings > Management > RPC API settings: For details, see Enabling RPC API access to One Identity Safeguard for Privileged Sessions (SPS).
Basic Settings > Management > Change root password: For details, see Changing the root password of One Identity Safeguard for Privileged Sessions (SPS).
Basic Settings > Management > System backup: For details, see:
- Creating configuration backups
- Encrypting configuration backups with GPG
Basic Settings > Management > Verbose system logs: For details, see Changing log verbosity level of One Identity Safeguard for Privileged Sessions (SPS).
Basic Settings > Management > SSL certificates: For details, see Managing the certificates used on One Identity Safeguard for Privileged Sessions (SPS).
Basic Settings > Management > Core files: For details, see Gathering data about system problems.
Basic Settings > Management > Disk space fill-up prevention: For details, see Preventing disk space fill-up.
Basic Settings > Management > Web gateway authentication: For details, see Configuring out-of-band gateway authentication.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating

© 2023 One Identity LLC. ALL RIGHTS RESERVED. Feedback Terms of Use Privacy