Chat now with support
Chat with Support

One Identity Safeguard for Privileged Sessions 7.0.4 LTS - Packaging Checklist

Package contents inventory

Carefully unpack all server components from the packing cartons. The following items should be packaged with the One Identity Safeguard for Privileged Sessions:

  • A One Identity Safeguard for Privileged Sessions appliance, pre-installed with the latest One Identity Safeguard for Privileged Sessions firmware.

  • One Identity Safeguard for Privileged Sessions accessory kit, including the following:

    • One Identity Safeguard for Privileged Sessions 7.0.4 LTS Packaging Checklist (this document).

    • GPL v2.0 license.

  • Rack mount hardware (depending on appliance type).

  • Power cable.

The default BIOS and IPMI passwords are in the documentation.

One Identity Safeguard for Privileged Sessions Hardware Installation Guide

This document describes how to set up the One Identity Safeguard for Privileged Sessions (SPS) hardware. Refer to the following documents for step-by-step instructions:

Installing the SPS hardware

The following describes how to install a single SPS unit.

To install a single SPS unit

  1. Unpack SPS.

  2. (Optional) Install SPS into a rack with the slide rails. Slide rails are available for all SPS appliances.

  3. Connect the cables.

    1. Connect the Ethernet cable facing your LAN to the Ethernet connector labeled as 1. This is physical interface 1 of SPS. This interface is used for the initial configuration of SPS, and for monitoring connections. (For details on the roles of the different interfaces, see "Network interfaces" in the Administration Guide.)

    2. (Optional) To use SPS across multiple physical (L1) networks, you can connect additional networks using physical interface 2 (Ethernet connector 2) and physical interface 3 (Ethernet connector 3).

    3. Connect an Ethernet cable that you can use to remotely support the SPS hardware to the IPMI interface of SPS. For details, see the following documents:

      For Safeguard Sessions Appliance 3000 and 3500, see the X9 SMT IPMI User's Guide.

      Caution:

      Connect the IPMI before plugging in the power cord. Failing to do so will result in IPMI failure.

      Caution: SECURITY HAZARD!

      The IPMI, like all out-of-band management interfaces, has known vulnerabilities that One Identity cannot fix or have an effect on. To avoid security hazards, One Identity recommends that you only connect the IPMI to well-protected, separated management networks with restricted accessibility. Failing to do so may result in an unauthorized access to all data stored on the SPS appliance. Data on the appliance can be unencrypted or encrypted, and can include sensitive information, for example, passwords, decryption keys, private keys, and so on.

      For more information, see Best Practices for managing servers with IPMI features enabled in Datacenters.

      NOTE: The administrator of SPS must be authorized and able to access the IPMI for support and troubleshooting purposes in case vendor support is needed.

      The following ports are used by the IPMI:

      • Port 22 (TCP): SSH (configurable)

      • Port 80 (TCP): Web (configurable)

      • Port 161 (UDP, TCP): SNMP (configurable)

      • Port 443 (TCP): Web SSL (configurable)

      • Port 623 (UDP): Virtual Media (configurable)

      • Port 5900 (TCP): IKVM Server (configurable)

      • Port 5985 (TCP): Wsman (configurable)

    4. (Optional) Connect the Ethernet cable connecting SPS to another SPS node to the Ethernet connector labeled as 4. This is the high availability (HA) interface of SPS. (For details on the roles of the different interfaces, see "Network interfaces" in the Administration Guide.)

    5. (Optional) The Safeguard Sessions Appliance 3500 is equipped with a dual-port SFP+ interface card labeled A and B. Optionally, connect a supported SFP+ module to these interfaces.

      NOTE: For a list of compatible connectors, see Linux Base Driver for 10 Gigabit Intel Ethernet Network Connection. Note that SFP transceivers encoded for non Intel hosts may be incompatible with the Intel 82599EB host chipset found in SPS.

  4. Power on the hardware.

  5. Change the BIOS password on the One Identity Safeguard for Privileged Sessions. The default password is ADMIN or changeme, depending on your hardware.

  6. Change the IPMI password on the One Identity Safeguard for Privileged Sessions. The default password is ADMIN or changeme, depending on your hardware.

    NOTE: Ensure that you have the latest version of IPMI firmware installed. You can download the relevant firmware from the One Identity Knowledge base.

    To change the IPMI password, connect to the IPMI remote console.

    NOTE: If you encounter issues when connecting to the IPMI remote console, add the DNS name or the IP address of the IPMI to the exception list (whitelist) of the Java console. For details on how to do this, see the Java FAQ entry titled How can I configure the Exception Site List?.

  7. Following boot, SPS attempts to receive an IP address automatically via DHCP. If it fails to obtain an automatic IP address, it starts listening for HTTPS connections on the 192.168.1.1 IP address.

    To configure SPS to listen for connections on a custom IP address, complete the following steps:

    1. Access SPS from the local console, and log in with username root and password default.

    2. Select Shells > Core shell in the Console Menu.

    3. Change the IP address of SPS:

      ifconfig eth0 <IP-address> netmask 255.255.255.0

      Replace <IP-address> with an IPv4 address suitable for your environment.

    4. Set the default gateway using the following command:

      route add default gw <IP-of-default-gateway>

      Replace <IP-of-default-gateway> with the IP address of the default gateway.

    5. Type exit, then select Logout from the Console Menu.

  8. Connect to the SPS web interface from a client machine and complete the Welcome Wizard as described in "The Welcome Wizard and the first login" in the Administration Guide.

Installing two SPS units in HA mode

Caution:

Creating a High-availability (HA) node pair from different types of hardware is not possible. The primary and the secondary HA nodes have to run on the same type of hardware.

The following describes how to install SPS with high availability support.

To install SPS with high availability support

  1. For the first SPS unit, complete Installing the SPS hardware.

  2. For the second SPS unit, complete Steps 1-3 of Installing the SPS hardware.

  3. Connect the two units with an Ethernet cable via the Ethernet connectors labeled as 4.

  4. Power on the second unit.

  5. Change the BIOS and IPMI passwords on the second unit. The default password is ADMIN or changeme, depending on your hardware.

  6. Connect to the SPS web interface of the first unit from a client machine and enable the high availability mode. Navigate to Basic Settings > High Availability . Click Convert to Cluster, then reload the page in your browser.

  7. Click Reboot Cluster.

  8. Wait until the slave unit synchronizes its disk to the master unit. Depending on the size of the hard disks, this may take several hours. You can increase the speed of the synchronization via the SPS web interface at Basic Settings > High Availability > DRBD sync rate limit.

Self Service Tools
Knowledge Base
Notifications & Alerts
Product Support
Software Downloads
Technical Documentation
User Forums
Video Tutorials
RSS Feed
Contact Us
Licensing Assistance
Technical Support
View All
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating