Chat now with support
Chat with Support

One Identity Safeguard for Privileged Sessions 8.0 LTS - Administration Guide

Preface Introduction The concepts of One Identity Safeguard for Privileged Sessions (SPS)
The philosophy of One Identity Safeguard for Privileged Sessions (SPS) Policies Credential Stores Plugin framework Indexing Supported protocols and client applications Modes of operation Connecting to a server through One Identity Safeguard for Privileged Sessions (SPS) Archive and backup concepts Maximizing the scope of auditing IPv6 in One Identity Safeguard for Privileged Sessions (SPS) SSH host keys Authenticating clients using public-key authentication in SSH The gateway authentication process Four-eyes authorization Network interfaces High Availability support in One Identity Safeguard for Privileged Sessions (SPS) Versions and releases of One Identity Safeguard for Privileged Sessions (SPS) Accessing and configuring One Identity Safeguard for Privileged Sessions (SPS)
Cloud deployment considerations The Welcome Wizard and the first login Basic settings
Supported web browsers The structure of the web interface Network settings Configuring date and time System logging, SNMP and e-mail alerts Configuring system monitoring on SPS Data and configuration backups Archiving Cleaning up audit data Using plugins Forwarding data to third-party systems Starling integration
User management and access control
Login settings Managing One Identity Safeguard for Privileged Sessions (SPS) users locally Setting password policies for local users Managing local user groups Managing One Identity Safeguard for Privileged Sessions (SPS) users from an LDAP database Handling user names in User Principal Name (UPN) format Authenticating users to a RADIUS server Authenticating users with X.509 certificates Authenticating users with SAML2 Managing user rights and user groups Creating rules for restricting access to search audit data Displaying the privileges of users and user groups Listing and searching configuration changes
Managing One Identity Safeguard for Privileged Sessions (SPS)
Controlling One Identity Safeguard for Privileged Sessions (SPS): reboot, shutdown Managing One Identity Safeguard for Privileged Sessions (SPS) clusters Managing a High Availability One Identity Safeguard for Privileged Sessions (SPS) cluster Upgrading One Identity Safeguard for Privileged Sessions (SPS) Managing the One Identity Safeguard for Privileged Sessions (SPS) license Accessing the One Identity Safeguard for Privileged Sessions (SPS) console Sealed mode Out-of-band management of One Identity Safeguard for Privileged Sessions (SPS) Managing the certificates used on One Identity Safeguard for Privileged Sessions (SPS)
General connection settings HTTP-specific settings ICA-specific settings MSSQL-specific settings RDP-specific settings SSH-specific settings Using Sudo with SPS Telnet-specific settings VMware Horizon View connections VNC-specific settings Indexing audit trails Using the Sessions interface Advanced authentication and authorization techniques Reports The One Identity Safeguard for Privileged Sessions (SPS) REST API One Identity Safeguard for Privileged Sessions (SPS) scenarios Troubleshooting One Identity Safeguard for Privileged Sessions (SPS)
Network troubleshooting Gathering data about system problems Viewing logs on One Identity Safeguard for Privileged Sessions (SPS) Changing log verbosity level of One Identity Safeguard for Privileged Sessions (SPS) Collecting logs and system information for error reporting Collecting logs and system information of the boot process for error reporting Support hotfixes Status history and statistics Troubleshooting a One Identity Safeguard for Privileged Sessions (SPS) cluster Understanding One Identity Safeguard for Privileged Sessions (SPS) RAID status Restoring One Identity Safeguard for Privileged Sessions (SPS) configuration and data VNC is not working with TLS Configuring the IPMI from the BIOS after losing IPMI password Incomplete TSA response received
Using SPS with SPP Configuring external devices Using SCP with agent-forwarding Security checklist for configuring One Identity Safeguard for Privileged Sessions (SPS) Jumplists for in-product help Configuring SPS to use an LDAP backend Glossary

Monitoring the status of nodes in your cluster

This section describes how to monitor the status of nodes in your cluster.

To monitor the status of nodes in your cluster

  1. On the web interface of your Central management node, navigate to Basic Settings > Cluster management. This page displays all nodes of the cluster.

    Figure 120: Basic Settings > Cluster management — Monitoring the status of the cluster nodes

    The following status information is displayed for each node:

    • Status: Indicates whether any issues occurred during configuration synchronization. It has the following values:

      Table 6: Basic Settings > Cluster management — Status values in the Cluster nodes screen
      Value Description
      OK Configuration synchronization was successful, no issues occurred.
      ISSUES

      While synchronizing the configuration, some issue(s) occurred. If this happens, click ISSUES in the Status column to reveal more information about the detected problem.

      OFFLINE Status information was sent by the node longer than 60 seconds ago.
    • Last updated: Indicates the last time the configuration of the node was synchronized, in ISO 8601 format.
    • Last seen: Indicates the last time the node sent status information to the Central Management node, in ISO 8601 format.

    • Configuration status: Indicates the status of configuration synchronization. It has the following values:

      Table 7: Basic Settings > Cluster management — Configuration status values in the Cluster nodes screen
      Value Description
      UP-TO-DATE The node has fetched the latest configuration from the Central management node, and has applied it. It is in sync with the Central management node.
      PENDING There has been a configuration change on the Central management node, but the change has not yet been synchronized to the node.
      OUTDATED There has been some error on the node, therefore it is running an old configuration.
      NOT FETCHED The node has not fetched any configuration yet.

      N/A

      The node is the Central management node, so it is not fetching its configuration from any other node.

    You can monitor the status of your nodes through the REST API, too. For more information, see Query the status of all nodes in the cluster in the REST API Reference Guide and Query one particular node in the REST API Reference Guide.

Updating the IP address of a node in a cluster

If the node that you joined to the cluster is a Managed host node, you can still change its IP address even after the join.

NOTE: This is not available for nodes that do not have the Managed host role assigned to them.

To update the IP address of a Managed host node that is already the member of a cluster

  1. On the web interface of your Central management node, navigate to Basic Settings > Cluster management.
  2. Click on the row of the node that node that you want to update.

    The node row is expanded, showing the node address and the available roles.

    Figure 121: Basic Settings > Cluster management — Update IP address of node

  3. In the IP Address field, update the IP address of the node.

    Caution:

    Ensure that you are making the change for the Managed Host node. Do not change the IP address of the Central Management node.

  4. Click Update.
  5. On the web interface of the node with the IP address to update, navigate to Basic Settings > Network > Interfaces.
  6. In the Address field, update the IP address of the node.

    Figure 122: Basic Settings > Network > Interfaces — Updating the IP address of your node

  7. Click .

Managing a cluster with configuration synchronization without central search

You can configure your One Identity Safeguard for Privileged Sessions (SPS) cluster in the following ways:

  • Configuration synchronization without a central search: This method allows you to perform your configuration settings on your Central management node. Managed host nodes periodically fetch and merge the settings into their own: this is called "configuration synchronization". Central search is not configured in this method, so you can search for sessions on each node, including the Central management node.

    For more information on this method, see Configuration synchronization without a central search.

  • Central search with configuration synchronization: This method allows you to use a Central management node with a Search master role to view session data recorded by the minion nodes of your cluster, as well as manage all the nodes in the cluster from one central location.

    For more information on this method, see Central search with configuration synchronization.

    IMPORTANT: One Identity does not recommend having a central search configuration without configuration synchronization.

The following figure shows a cluster with configuration synchronization without central search.

Figure 123: Configuration synchronization without central search

The figure above is an example of an SPS cluster configured as follows:

  • There is a Central management node.
  • There are two Managed host nodes (Managed host node 1 and 2).
  • The Central Management node is connected to the two Managed host nodes.
  • The Managed host nodes fetch their configuration from the Central management node, and merge it into their own configuration.
  • The Managed host nodes send their status information to the Central management node every 10 seconds.

The Central management node and the connected Managed host nodes require different configuration settings as described in the table below:

Table 8: Managing a configuration synchronization without a central search
Role Use and configuration settings

Central management node

  • Use it as a node with a central configuration, which is synchronized to the other nodes of the cluster.

  • Perform your configuration settings on this node. Managed host nodes periodically fetch and merge these configuration settings into their own (configuration synchronization).

  • For backup and archive, configure a backup and archive server on your minion node, as well as on your Central management node.

  • Ensure that you configure high availability (HA) for each node (for both your Central management node and the Managed host nodes). Also ensure that the Central management node has a system backup configured.
  • You can search for all the sessions recorded on this node.

Managed host node

  • Use it to record sessions and send status information to the Central management node.

  • Do not perform configuration settings on the minion. These are overwritten during configuration synchronization.

    NOTE: All configuration settings that you make on the minions are overwritten during configuration synchronization except the node specific configuration.

  • Set external and internal indexers.

  • For backup and archive, configure a backup and archive server on your minion node, as well as on your Central management node.

  • Ensure that you configure high availability (HA) for each node (for both your Central management node and the Managed host nodes). Also ensure that the Central management node has a system backup configured.
  • You can search for all the sessions recorded on this node.

For more information on each role, see Cluster roles.

Managing a cluster with central search configuration and configuration synchronization

You can configure your One Identity Safeguard for Privileged Sessions (SPS) cluster in the following ways:

  • Configuration synchronization without a central search: This method allows you to perform your configuration settings on your Central management node. Managed host nodes periodically fetch and merge the settings into their own: this is called "configuration synchronization". Central search is not configured in this method, so you can search for sessions on each node, including the Central management node.

    For more information on this method, see Configuration synchronization without a central search.

  • Central search with configuration synchronization: This method allows you to use a Central management node with a Search master role to view session data recorded by the minion nodes of your cluster, as well as manage all the nodes in the cluster from one central location.

    For more information on this method, see Central search with configuration synchronization.

    IMPORTANT: One Identity does not recommend having a central search configuration without configuration synchronization.

The following figure shows a cluster configured for central search with configuration synchronization.

Figure 124: Central search with configuration synchronization

The figure above is an example of an SPS cluster configured as follows:

  • There is a Central management node, which has a Search master role.
  • There are two Managed host nodes (Managed host node 1 and 2), each configured with a Search minion role.
  • The Central management node is connected to the two minion nodes.
  • The minion nodes record sessions, which are displayed on the Search interface of the Central management node.
  • The minion nodes fetch their configuration from the Central management node, and merge it into their own configuration.

The Central management node with a Search master role and the connected Managed host nodes with Search minion roles require different configuration settings as described in the table below:

Table 9: Managing a central search configuration
Role Use and configuration settings

Central management node, Search master

  • Use it for viewing session data recorded by minions as well as managing all the nodes in the cluster.
  • Perform your configuration settings on this node. Managed host nodes periodically fetch and merge these configuration settings into their own (configuration synchronization).

  • For backup and archive, configure a backup server on your Central management node and an archive server on your minion node.

  • Ensure that you configure high availability (HA) for each node (for both your Central management node and the Managed host nodes). Also ensure that the Central management node has a system backup configured.
  • This node cannot be used to record sessions.

Managed host node, Search minion

  • Use it to record sessions and store audit trail files.
  • Do not perform configuration settings on the minion. These are overwritten during configuration synchronization.

    NOTE: All configuration settings that you make on the minions are overwritten during configuration synchronization except the node specific configuration.

  • Set external and internal indexers.

  • For backup and archive, configure an archive server on your minion node, and a backup server on your Central management node.

  • Ensure that you configure high availability (HA) for each node (for both your Central management node and the Managed host nodes). Also ensure that the Central management node has a system backup configured.

For more information on each role, see Cluster roles.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating