Chat now with support
Chat with Support

One Identity Safeguard for Privileged Sessions 6.11.1 - Administration Guide

Preface Introduction The concepts of One Identity Safeguard for Privileged Sessions (SPS)
The philosophy of One Identity Safeguard for Privileged Sessions (SPS) Policies Credential Stores Plugin framework Indexing Supported protocols and client applications Modes of operation Connecting to a server through One Identity Safeguard for Privileged Sessions (SPS) Archive and backup concepts Maximizing the scope of auditing IPv6 in One Identity Safeguard for Privileged Sessions (SPS) SSH host keys Authenticating clients using public-key authentication in SSH The gateway authentication process Four-eyes authorization Network interfaces High Availability support in One Identity Safeguard for Privileged Sessions (SPS) Versions and releases of One Identity Safeguard for Privileged Sessions (SPS) Accessing and configuring One Identity Safeguard for Privileged Sessions (SPS)
Cloud deployment considerations The Welcome Wizard and the first login Basic settings
Supported web browsers and operating systems The structure of the web interface Network settings Configuring date and time System logging, SNMP and e-mail alerts Configuring system monitoring on SPS Data and configuration backups Archiving and cleanup Using plugins Forwarding data to third-party systems Starling integration
User management and access control Managing One Identity Safeguard for Privileged Sessions (SPS)
Controlling One Identity Safeguard for Privileged Sessions (SPS): reboot, shutdown Managing Safeguard for Privileged Sessions (SPS) clusters Managing a High Availability One Identity Safeguard for Privileged Sessions (SPS) cluster Upgrading One Identity Safeguard for Privileged Sessions (SPS) Managing the One Identity Safeguard for Privileged Sessions (SPS) license Accessing the One Identity Safeguard for Privileged Sessions (SPS) console Sealed mode Out-of-band management of One Identity Safeguard for Privileged Sessions (SPS) Managing the certificates used on One Identity Safeguard for Privileged Sessions (SPS)
General connection settings HTTP-specific settings ICA-specific settings MSSQL-specific settings RDP-specific settings SSH-specific settings Using Sudo with SPS Telnet-specific settings VMware Horizon View connections VNC-specific settings Indexing audit trails Using the Search interface Advanced authentication and authorization techniques Reports The One Identity Safeguard for Privileged Sessions (SPS) REST API One Identity Safeguard for Privileged Sessions (SPS) scenarios Troubleshooting One Identity Safeguard for Privileged Sessions (SPS) Using SPS with SPP Configuring external devices Using SCP with agent-forwarding Security checklist for configuring One Identity Safeguard for Privileged Sessions (SPS) Jumplists for in-product help Configuring SPS to use an LDAP backend Glossary

Unlocking your audit keystore

This section provides information on:

  • How to unlock your audit keystore

  • How to reset your audit keystore if you forgot your master password

NOTE: The private keys are stored locally, in your browser.

In the audit keystore, the master password protects your private keys from unauthorized use, for example, if you share a computer with anyone.

To use the private keys that are stored in your audit keystore to decrypt audit items, you must unlock your audit keystore by providing your master password. After providing your master password, your audit keystore remains unlocked for the duration of your session, or until you click Lock keystore on User menu > Audit keystore.

To unlock your audit keystore

  1. Navigate to User menu > Audit keystore.

  2. Click Unlock private keystore.

    The Unlock keystore dialog is displayed.

    Figure 47: User Menu > Audit keystore > Unlock private keystore — Enter the master password

    Enter your master password and click Unlock keystore.

    The audit keystore is unlocked.

    You can add new keys or manage your uploaded private keys.

Resetting your audit keystore

To reset your audit keystore if you forgot your master password

NOTE: The master password cannot be changed, but if you forget your master password, you can reset your audit keystore. If you reset your audit keystore, you must upload your private keys again.

  1. Navigate to User menu > Audit keystore.

  2. If you forgot your master password, click Forget password?.

  3. In the Forget password? dialog, click Reset keystore.

  4. Click Add new key and the Create master password dialog is displayed, where you can add a new master password.

  5. Upload the necessary private keys again to your audit keystore.

Result

The audit keystore is unlocked and it remains open for the duration of your session or until you click Lock keystore.

Deleting a private key from your audit keystore

This section provides information on how to delete a key in your audit keystore.

NOTE: The private keys are stored locally, in your browser.

To delete a key from your audit keystore

  1. Navigate to User menu > Audit keystore.

  2. Click Unlock private keystore.

    The Unlock keystore dialog is displayed.

    Figure 48: User Menu > Audit keystore > Unlock private keystore — Enter the master password

    Enter your master password and click Unlock keystore.

    The audit keystore is unlocked.

  3. Click next to the private key that you want to delete.

    NOTE: If you delete the last private key from your audit keystore, the audit keystore is reset and next time you add a private key to your audit keystore, you must define a master password again.

Result

The private key is deleted from your audit keystore.

Network settings

The Basic Settings > Network tab contains the network interface and naming settings of One Identity Safeguard for Privileged Sessions (SPS).

Interfaces

Figure 49: Basic Settings > Network > Interfaces

Lists all of the logical interfaces (VLAN IDs, IP addresses, netmasks, and names) assigned to the three physical interfaces of SPS. For more information on managing logical interfaces, see Managing logical interfaces.

In addition, it is also possible to set the Maximum Transmission Unit (MTU) for each network interface (VLAN or network interface card) individually. The default value is 1500.

Speed is displayed for every physical interface. To explicitly set the speed of the interface, select the new value from the Speed field. Modifying the speed of an interface is recommended only for advanced users.

You can add interface-specific network routes using the Advanced routing option of each interface. Otherwise, use the Routing table option to manage networking routes.

Routing table

Figure 50: Basic Settings > Network > Routing table

When sending a packet to a remote network, SPS consults the routing table to determine the path it should be sent. If there is no information in the routing table then the packet is sent to the default gateway. Use the routing table to define static routes to specific hosts or networks. You have to use the routing table if SPS interfaces are connected to multiple subnets.

Click the and icons to add new routes or delete existing ones. A route means that messages sent to the Address/Netmask network should be delivered to Gateway.

For detailed examples, see Configuring the routing table.

IP forwarding

Figure 51: Basic Settings > Network > IP forwarding

You can enable routing between logical interfaces, which allows you to direct uncontrolled traffic through SPS. For more information, see Routing uncontrolled traffic between logical interfaces.

To mimic the functionality of the deprecated Router mode, configure a logical interface for each physical interface you want to connect, and enable IP forwarding between them.

Naming

Figure 52: Basic Settings > Network > Naming

  • Hostname: Name of the machine running SPS.

  • Nick name: The nickname of SPS. Use it to distinguish the devices. It is displayed in the core and boot login shells.

  • DNS search domain: Name of the domain used on the network. When resolving the domain names of the audited connections, SPS will use this domain to resolve the target hostname if the appended domain entry of a target address is empty.

  • Primary DNS server: IP address of the name server used for domain name resolution.

  • Secondary DNS server: IP address of the name server used for domain name resolution if the primary server is unaccessible.

HTTPS proxy

The HTTPS proxy settings must be configured if your company policies do not allow devices to connect directly to the web. Once configured, SPS uses the configured proxy server for outbound web requests to external integrated services, such as Join to Starling or SPS plugins.

Figure 53: Basic Settings > Network > HTTPS proxy

  • Proxy server: The IP address or DNS name of the proxy server.

  • Port: The IP address or DNS name of the proxy server.

    NOTE:

    If different ports are specified in the Proxy server and the Port field, the Port field takes precedence.

  • Username: The user name used to connect to the proxy server.

    NOTE:

    The username and password are only required if your proxy server requires them to be specified.

  • Password: The password required to connect to the proxy server.

    NOTE:

    The username and password are only required if your proxy server requires them to be specified.

Configuring user and administrator login addresses

You can configure two separate login addresses for accessing the web interface of One Identity Safeguard for Privileged Sessions (SPS):

  • Web login (admin and user): On this address, users can, depending on their access privileges, modify the configuration of SPS, and perform authentication-related activities (gateway authentication, 4-eyes authorization).

  • Web login (user only): The configuration of SPS cannot be viewed or altered from this address. Users (even ones with administrator privileges) can only perform gateway authentication and 4-eyes authorization.

NOTE: For more information on gateway authentication and 4-eyes authorization, see Advanced authentication and authorization techniques.

Both login addresses can be configured to restrict connections to a configured set of IP addresses only.

NOTE:

When configuring HTTP or SSH connections, avoid using the IP address configured for administrator or user login on One Identity Safeguard for Privileged Sessions (SPS) .

The login addresses are, by default, protected against brute-force attacks. For more information on the Protect against brute-force attacks option, see section Protecting against brute-force attacks.

To configure two separate login addresses for accessing the web interface of SPS

  1. Navigate to Basic Settings > Local Services > Web login.

    Figure 54: Basic Settings > Local Services > Web login — Configuring web login address

  2. Choose in the Listening addresses field.

  3. Enter the IP address to use for connecting to SPS's user interface into the Address field.

    The available addresses correspond to the interface addresses configured in Basic Settings > Network > Interfaces. Only IPv4 addresses can be selected.

  4. Enter the port number for HTTP connections into the HTTP field.

  5. Enter the port number for HTTPS connections into the HTTPS field.

  6. (Optional) To permit access to the SPS web interface only from selected subnets or IP addresses, select Restrict clients, click and enter the IP address and netmask of the allowed clients. Note that these settings do not affect the SSH access to SPS.

    Caution:

    Permit administrative access to SPS only from trusted networks. If possible, monitored connections and administrative access to the SPS web interface should originate from separate networks.

    After comitting the changes, the web interface will be available only from the configured subnets or IP addresses.

    Use an IPv4 address.

  7. (Optional) Protect against brute-force attacks: modify the values of Attempt limit, Lockout period, or both, according to your security requirements.

    NOTE: You can configure the Protect against brute-force attacks option only under Web login (admin and user), but these settings are inherited by the Web login (user only) settings too.

    For detailed information on the Protect against brute-force attacks option, see section Protecting against brute-force attacks.

  8. Recommended: configure a separate login address for user connections in Web login (user only). The configuration settings of SPS cannot be viewed or modified from this address.

  9. Click .

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating