Chat now with support
Chat with Support

One Identity Safeguard for Privileged Sessions 6.11.1 - Administration Guide

Preface Introduction The concepts of One Identity Safeguard for Privileged Sessions (SPS)
The philosophy of One Identity Safeguard for Privileged Sessions (SPS) Policies Credential Stores Plugin framework Indexing Supported protocols and client applications Modes of operation Connecting to a server through One Identity Safeguard for Privileged Sessions (SPS) Archive and backup concepts Maximizing the scope of auditing IPv6 in One Identity Safeguard for Privileged Sessions (SPS) SSH host keys Authenticating clients using public-key authentication in SSH The gateway authentication process Four-eyes authorization Network interfaces High Availability support in One Identity Safeguard for Privileged Sessions (SPS) Versions and releases of One Identity Safeguard for Privileged Sessions (SPS) Accessing and configuring One Identity Safeguard for Privileged Sessions (SPS)
Cloud deployment considerations The Welcome Wizard and the first login Basic settings
Supported web browsers and operating systems The structure of the web interface Network settings Configuring date and time System logging, SNMP and e-mail alerts Configuring system monitoring on SPS Data and configuration backups Archiving and cleanup Using plugins Forwarding data to third-party systems Starling integration
User management and access control Managing One Identity Safeguard for Privileged Sessions (SPS)
Controlling One Identity Safeguard for Privileged Sessions (SPS): reboot, shutdown Managing Safeguard for Privileged Sessions (SPS) clusters Managing a High Availability One Identity Safeguard for Privileged Sessions (SPS) cluster Upgrading One Identity Safeguard for Privileged Sessions (SPS) Managing the One Identity Safeguard for Privileged Sessions (SPS) license Accessing the One Identity Safeguard for Privileged Sessions (SPS) console Sealed mode Out-of-band management of One Identity Safeguard for Privileged Sessions (SPS) Managing the certificates used on One Identity Safeguard for Privileged Sessions (SPS)
General connection settings HTTP-specific settings ICA-specific settings MSSQL-specific settings RDP-specific settings SSH-specific settings Using Sudo with SPS Telnet-specific settings VMware Horizon View connections VNC-specific settings Indexing audit trails Using the Search interface Advanced authentication and authorization techniques Reports The One Identity Safeguard for Privileged Sessions (SPS) REST API One Identity Safeguard for Privileged Sessions (SPS) scenarios Troubleshooting One Identity Safeguard for Privileged Sessions (SPS) Using SPS with SPP Configuring external devices Using SCP with agent-forwarding Security checklist for configuring One Identity Safeguard for Privileged Sessions (SPS) Jumplists for in-product help Configuring SPS to use an LDAP backend Glossary

Enabling TLS-encryption for VNC connections

The following steps describe how to enable TLS-encryption in a VNC connection policy.

NOTE:

Some vendors may use custom protocol elements and TLS-encryption that do not have available documentation. As a result, these cannot be audited by One Identity Safeguard for Privileged Sessions (SPS). Regardless of vendors, only the custom features described in the RFC 6143 are supported. As for encryptions, only those completely TLS-encapsulated streams can be processed where the TLS encryption process was started before the VNC protocol handshake.

Prerequisites

Depending on your requirements, one or more of the following might be needed:

  • An X.509 certificate and its private key. SPS can display the same certificate to the peers on both the client and the server side. You can also use different certificates for the client and server sides. Use your own PKI system to generate these certificates, as they cannot be created on SPS. Note that the Common Name of the certificate must contain the domain name or the IP address of SPS, otherwise the clients might reject the certificate.

  • To generate certificates on-the-fly for a connection, a signing certificate authority is required. For details on creating a signing CA, see Signing certificates on-the-fly.

  • To require the peers of SPS to have an X.509 certificate signed by a specific Certificate Authority, a list of the trusted certificate authorities is needed. For details on creating a trusted CA list, see Verifying certificates with Certificate Authorities.

One Identity recommends using 2048-bit RSA keys (or stronger).

To enable TLS-encryption in a VNC connection policy

  1. Navigate to VNC Control > Connections and select the connection policy in which you want to enable TLS.

    Figure 252: VNC Control > Connections — Enabling TLS-encryption for VNC connections

  2. Set the encryption settings used between the client and SPS in the Client-side transport security settings section.

    To require encryption, select TLS. When the connection is encrypted, SPS has to show a certificate to the peer.

    • To use the same certificate for every peer, complete the following steps.

      1. Generate and sign a certificate for One Identity Safeguard for Privileged Sessions (SPS) in your PKI system, then export the certificate and its private key.

      2. Select Use the same certificate for each connection.

      3. Select Private key for host certificate, click and upload the private key.

      4. Select X.509 host certificate, click and upload the certificate.

    • To use a separate certificate for every connection, complete the following steps.

      1. Create a certificate authority that will be used to sign the certificates that SPS shows to the peer. For details, see Signing certificates on-the-fly.

      2. Select Generate certificate on-the-fly.

      3. Select the certificate authority to use in the Signing CA field.

  1. Select how SPS should authenticate the peers.

    • To permit connections from peers without requesting a certificate, select No certificate is required.

    • To permit connections only from peers with a valid certificate that was signed by a specific CA, complete the following steps.

      1. Create a list of trusted Certificate Authorities that will be used to validate the certificates of the peers. For details on creating a trusted CA list, see Verifying certificates with Certificate Authorities.

      2. Select Only accept certificates authenticated by the trusted CA list.

      3. Select the certificate authority list to use in the Trusted CA field.

  1. Set the encryption settings used between SPS and the server in the Server-side transport security settings section.

    To require encryption, select TLS. When the connection is encrypted, SPS has to show a certificate to the peer.

  2. Select the certificate to show to the server.

    • If the server does not require a certificate from SPS, select None.

    • To use the same certificate for every peer, complete the following steps.

      1. Generate and sign a certificate for SPS in your PKI system, and export the certificate and its private key.

      2. Select Use the same certificate for each connection.

      3. Select Private key for host certificate, click and upload the private key.

      4. Select X.509 host certificate, click and upload the certificate.

    • To use a separate certificate for every connection, complete the following steps.

      1. Create a certificate authority that will be used to sign the certificates that SPS shows to the peer. For details, see Signing certificates on-the-fly.

      2. Select Generate certificate on-the-fly.

      3. Select the certificate authority to use in the Signing CA field.

    Limitations

    NOTE: When using the Use the same certificate for each connection option and the connection policy that allows access to multiple servers using HTTPS, the client applications will display a warning because the certificate used in the connection will be invalid (namely, the Common Name of the certificate will not match the hostname or IP address of the server).

    NOTE: Import the certificate of the signing Certificate Authority to your clients. Otherwise, the client applications will display a warning due to the unknown Certificate Authority.

  1. Select how SPS should authenticate the peers.

    • To permit connections from peers without requesting a certificate, select No certificate is required.

    • To permit connections only from peers with a valid certificate that was signed by a specific CA, complete the following steps.

      1. Create a list of trusted Certificate Authorities that will be used to validate the certificates of the peers. For details on creating a trusted CA list, see Verifying certificates with Certificate Authorities.

      2. Select Only accept certificates authenticated by the trusted CA list.

      3. Select the certificate authority list to use in the Trusted CA field.

  1. Click .

    Expected result

    The encryption settings are applied to the connection policy.

Creating and editing protocol-level VNC settings

VNC settings determine the parameters of the connection on the protocol level, including timeout value, and so on.

Caution:

Modifying the VNC settings is recommended only to advanced users. Do not modify these settings unless you exactly know what you are doing.

To create a new VNC settings profile or edit an existing one

  1. Navigate to VNC Control > Settings and click to create a VNC setting profile. Enter a name for the profile (for example vnc_special).

  2. Click to display the parameters of the connection.

  3. Modify the parameters as needed. The following parameters are available:

    • Network idle timeout: Connection timeout value in seconds. To avoid early timeout, set it to a larger value, for example a week (604800 seconds).

      Even if the user is not active, the session can contain activity that must be audited (for example, the output of a script). The idle timeout period will start only after this activity has stopped.

      Caution:

      Determining if a connection is idle is based on the network traffic generated by the connection, not the activity of the user. For example, if an application or the taskbar of a graphical desktop displays the time which is updated every minute, it generates network traffic every minute, negating the effects of timeout values greater than one minute and preventing One Identity Safeguard for Privileged Sessions (SPS) from closing the connection.

    • User idle timeout: If no user activity is detected, terminate the session after the configured time has passed since the last user activity.

      This can be useful if only user-generated network traffic is important in a session. By using this option, situations described in the caution of Network idle timeout (such as a taskbar clock keeping the network traffic open indefinitely) can be avoided. To enable user idle timeout, select Enable user idle timeout and enter a value that is greater than or equal to the value of Network idle timeout.

    • Enable pre channel check: Select this option to evaluate the connection and channel policies before establishing the server-side connection. That way if the connection is not permitted at all, SPS does not establish the server-side connection.

    • To configure TLS security settings on both the Client side and the Server side, proceed to TLS security settings.

      Figure 253: <Protocol> Control > Settings > TLS security settings - configuring TLS security settings

      • Cipher strength specifies the cipher string OpenSSL will use. The following options are possible:

        • Recommended: this setting only uses ciphers with adequate security level.

        • Custom: this setting allows you to specify the list of ciphers you want to permit SPS to use in the connection. This setting is only recommended to ensure compatibility with older systems. For more details on customizing this list, check the 'openssl-ciphers' manual page on your SPS appliance.

          For example: ALL:!aNULL:@STRENGTH

      • Minimum TLS version specifies the minimal TLS version SPS will offer during negotiation. The following options are possible:

        • TLS 1.2: this setting only offers TLS version 1.2 during the negotiation. This is the recommended setting.

        • TLS 1.1: this setting offers TLS version 1.1 and later versions during the negotiation.

        • TLS 1.0: this setting offers TLS version 1.0 and later versions during the negotiation.

      NOTE: Note that SPS only permits TLS-encrypted connections. SSLv3 is not supported.

  4. Click .

  5. Select this settings profile in the VNC settings field of your connections.

Indexing audit trails

One Identity Safeguard for Privileged Sessions (SPS) can index the contents of audit trails using its own indexer service or external indexers. Indexing extracts the text from the audit trails and segments it to tokens. A token is a segment of the text that does not contain whitespace: for example words, dates (2009-03-14), MAC or IP addresses, and so on. The indexer returns the extracted tokens to SPS, which builds a comprehensive index from the tokens of the processed audit trails.

Once indexed, the contents of the audit trails can be searched from the web interface. SPS can extract the commands typed and the texts seen by the user in terminal sessions, and text from graphical protocols like RDP, Citrix ICA, and VNC. Window titles are also detected.

SPS has an internal indexer, which runs on the SPS appliance. In addition to the internal indexer, external indexers can run on Linux hosts.

Processing and indexing audit trails requires significant computing resources. If you have to audit lots of connections, or have a large number of custom reports configured, consider using an external indexer to decrease the load on SPS. For sizing recommendations, ask your One Identity partner or contact our Support Team.

  • The internal indexer service runs on the SPS appliance. It supports languages based on the Latin-, Greek- and Cyrillic alphabets, as well as Chinese, Japanese and Korean languages, allowing it to recognize texts from graphical audit trails in 100+ languages. It can also generate screenshots for content search results.

    Recognizing and OCR-ing CJK (Chinese, Japanese and Korean) languages must be licensed separately.

  • The external indexer runs on Linux hosts and instances. It uses the same engine as the indexer service of SPS, and has the same capabilities and limitations.

    SPS can work with multiple external indexers to process audit trails.

NOTE: The version of the external indexer must be equal to or greater than the version of One Identity Safeguard for Privileged Sessions (SPS). To make sure you meet this criterion, One Identity recommends that you always upgrade your external indexer when you upgrade SPS. You can check that SPS has established a connection to the external indexer on the Indexer > Worker status page of the SPS web interface.

NOTE: If a text is displayed for less than 1 second, it is not indexed.

If you have indexed trails, the index itself is also archived:

When using the Indexer service: Every 30 days, unless the Backup & Archive/Cleanup > Archive/Cleanup policies > Delete data from SPS after is configured to occur less frequently (more than 30 days). For example, if the Delete data from SPS after is 60 days, the index will be archived every 60 days. The content of the archived index will be the content that was available X days before the archival date, where X is the number in the Delete data from SPS after field.

Caution:

Hazard of data loss Make sure you also backup your data besides archiving (for details, see Data and configuration backups). If a system crash occurs, you can lose up to 30 days of index, since the index is only archived in every 30 days.

Reindex audit trails

In certain cases, reindexing already indexed audit trails might be necessary, for example, if the audit trails were indexed without full screen content but you still need to search in screen content. In this case, the audit trails can be reindexed with a different indexer configuration to perform screen content extraction. For more information, contact our Support Team.

Configuring the internal indexer

The following describes how to configure One Identity Safeguard for Privileged Sessions (SPS) to index the audit trails.

Indexing is a resource intensive (CPU and hard disk) operation, and depending on the number of processed audit trails and parallel connections passing SPS, may affect the performance of SPS. Test it thoroughly before enabling it in a production environment that is under heavy load. If your SPS appliance cannot handle the connections and the indexing, consider using external indexers (see "Configuring external indexers" in the Administration Guide) to decrease the load on SPS. For sizing recommendations, ask your One Identity partner or contact our Support Team.

Note that the minimum value of Backup & Archive/Cleanup > Archive/Cleanup policies > Delete data from SPS after is 30 days when using the indexer service. If you previously had a setting lower than this, it will still archive the index after 30 days when the indexer service is used.

NOTE: Only those audit trails will be processed that were created after full-text indexing had been configured for the connection policy. It is not possible to process already existing audit trails.

NOTE: Using content policies significantly slows down connections (approximately 5 times slower), and can also cause performance problems when using the indexer service.

NOTE: The version of the external indexer must be equal to or greater than the version of One Identity Safeguard for Privileged Sessions (SPS). To make sure you meet this criterion, One Identity recommends that you always upgrade your external indexer when you upgrade SPS. You can check that SPS has established a connection to the external indexer on the Indexer > Worker status page of the SPS web interface.

To configure SPS to index the audit trails

  1. Navigate to Basic Settings > Local Services > Indexer service.

    Figure 254: Basic Settings > Local Services > Indexer service > Configure the Indexer service of SPS

  2. Define the Maximum number of parallel audit trails to index on box.

    This option determines the maximum number of parallel indexing tasks that the SPS appliance performs. The default value is set to the number of detected CPU cores. Note that indexing audit trails requires about 50-100 Mbytes of memory for terminal sessions (SSH, Telnet, TN3270), and 150-300 Mbytes for graphical sessions (RDP, ICA, VNC, X11). Consider the memory usage of your SPS host before modifying this value.

  3. Define the Maximum number of parallel audit trails to index near real-time on box.

    This option determines the maximum number of parallel indexing tasks that the SPS appliance performs near real-time, meaning that indexing starts when sessions are still ongoing. The default value is set to 0.

    NOTE: A connection policy configured with near real-time priority (Connection policy > Enable indexing > Priority) requires that you set Maximum number of parallel audit trails to index near real-time on box to a value other than 0.

  4. (Optional) If you have encrypted audit trails and you want to index them, upload the necessary RSA keys (in PEM-encoded X.509 certificates).

    NOTE: Certificates are used as a container and delivery mechanism. For encryption and decryption, only the keys are used.

    1. Click , and then click the first icon to upload the new certificate. A pop-up window is displayed.

      Select Browse, select the file containing the certificate, and click Upload. Alternatively, you can also copy-paste the certificate into the Certificate field and click Set.

    2. To upload the private key corresponding to the certificate, click the second icon. A pop-up window is displayed.

      Select Browse, select the file containing the private key, provide the Password if the key is password-protected, and click Upload. Alternatively, you can also copy-paste the private key into the Key field, provide the Password there, and click Set.

    3. To add more certificate-key pairs, click and repeat steps 3a and 3b.

    TIP: If you want to search in the trail content on the web interface: to view screenshots generated from encrypted audit trails, you also have to upload the necessary private encryption keys to your audit keystore. For more information, see Audit keystore.

  5. Click .

  6. Navigate to Policies > Indexer Policies.

  7. Two Indexer Policies are available by default, both with automatic language detection:

    • full_indexing: Slower, indexes the complete content of the screen, including all events.

    • lightweight_indexing: Significantly faster, but it extracts only the executed commands (Command event) and the window titles (Window title event) that appear on the screen. It does not index any other screen content (for example, text that is displayed in a terminal or that appears in an RDP window).

      For example, in the case of an SSH protocol, lightweight_indexing will index a command with parameters, such as cat --help, but will not index terminal printouts such as the help content itself.

      When you add a new Connection Policy, the lightweight_indexing Indexer Policy is assigned to it by default.

    NOTE: In the case of graphical protocols, the default Optical Character Recognition (OCR) configuration is automatic language detection. This means that the OCR engine will attempt to detect the languages of the indexed audit trails automatically. However, if you know in advance what language(s) will be used, create a new Indexer Policy.

    To create a new Indexer Policy, click .

    Figure 255: Policies > Indexer Policies > Indexing options and manual language selection

  8. Select from the indexing options as follows:

    • Commands: Allows you to browse, search, and analyze the commands issued in SSH and Telnet sessions.

      Caution:

      Do not disable unless you have a reason to do so.

    • Window titles: Text appearing as window titles that can be detected on the screen in RDP, Citrix ICA, and VNC connections. Window title detection involves Optical Character Recognition (OCR) on parts of the screen, and can be slightly resource-intensive. SPS versions up till 6.2 only detected only the active window in the screen. From SPS version 6.3, multiple windows can be detected.

      Limitations
      • Default Windows themes are supported.

      • Windows that do not have an X (close window) button in the top-right corner (or it is not visible) are not detected.

      • Use window title detection for sessions that use a single monitor. The feature works in multi-monitor environments as well, but becomes very slow, therefore it is not recommended.

      • Window title detection is case-insensitive.

      Caution:

      Do not disable unless you have a reason to do so.

    • Full screen contents: Select this option if you want to search in the full screen content of the audited sessions.

      Extract every text that appears on the screen in Telnet, SSH, RDP, Citrix ICA or VNC connections. For graphical protocols, extracting screen content involves Optical Character Recognition (OCR) that requires lots of CPU and disk (consider installing external indexers).

    • Pointing device biometrics: Select this option only if you are using One Identity Safeguard for Privileged Analytics (SPA)).

      Extract biometric data to authenticate the users based on their pointing device (for example, mouse) usage patterns. SPA can analyze mouse movement patterns of your users as a biometric identity verification method to protect against account theft.

    • Typing biometrics: Select this option only if you are using One Identity Safeguard for Privileged Analytics (SPA)).

      Extract biometric data to authenticate the users based on their typing dynamics. SPA can analyze the typing patterns of your users as a biometric identity verification method to protect against account theft.

  9. To configure what languages to detect, select Select languages manually for character recognition. Select the language(s) to detect. Note the following:

    • Specifying only one language provides the best results in terms of performance and precision.

    • The English language is always detected along with the non-English languages that you have configured. However, if you want the OCR to only recognize the English language, you have to select it from the list of languages.

    • There are certain limitations in the OCR engine when recognizing languages with very different character sets. For this reason, consider the following:

      • When selecting Asian languages (Simplified Chinese, Traditional Chinese, Korean), avoid adding languages that use the Latin alphabet.

      • When selecting the Arabic language, avoid selecting any other languages.

      • The Thai language is currently not supported. If you are interested in using SPS to index Thai texts, contact our Sales Team.

  10. Specify an accuracy level for Optical Character Recognition (OCR). Each accuracy level brings a different degree of speed and accuracy:

    • Fast: The fastest option with potentially less accurate results. Select this option if speed is more important to you than getting the most accurate results possible.

    • Balanced (default setting): Fairly accurate option with less than optimum speed. Select this option if you want results to be fairly accurate but you have more than a few sessions to process and processing time is less of a concern.

    • Accurate: The most accurate option with less optimal speed. Select this option if you must have the most accurate results possible and speed is less important or you only have a few sessions to process.

  11. Configure the Indexing policy for the Connection policy that you want to index:

    By default, the lightweight_indexing Indexing policy is enabled for every Connection policy with normal priority. If this is ideal for you, skip this step and continue with the next step. If you want to use a different policy, for example because you want to OCR the complete screen content, or because you have created a language-specific indexer policy, complete the following substeps.

    1. Navigate to the Control > Connections page of the traffic type (for example SSH Control), and select the connection policy to index.

    2. Figure 256: <Protocol name> Control > Connections > Enable indexing — Select Indexing Policy

      Select the Indexing Policy to be used. Both built-in Indexer Policies feature automatic language detection. To specify a particular language detection configuration, select the Indexing Policy you have created before (in Step 6).

    3. To determine the priority level of indexing this connection, select the appropriate Priority level. Selecting a high priority level means that the trails of this connection will be indexed first. Selecting a low priority level means that the trails of this connection will be indexed also, but there might be a delay in indexing if there are a lot of high-priority connections waiting to be indexed. Selecting near real-time means that the indexing of sessions starts when sessions are still ongoing.

    4. Click .

  12. Check which channel policy is used in the connection, and navigate to the <Protocol name> Control > Connections page. Select the channel policy used in the connection to index.

  13. On the <Protocol name> Control > Channel Policies page, verify that the Record audit trail option is selected for the channels you want to index (for example, the Session shell channel in SSH, or the Drawing channel in RDP).

  14. Click .

    TIP: To verify that indexing works as configured, start a session that uses this connection policy (connect from a client to a server).

    When the session is finished, navigate to the Indexer > Indexer status page to verify that the indexer service is processing the audit trail.

    If the audit trails are encrypted, ensure that the required decryption keys have been uploaded to Basic Settings > Local Services > Indexer service > Indexer keys.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating