Chat now with support
Chat with Support

One Identity Safeguard for Privileged Passwords 2.4 - Administration Guide

Introduction System requirements Installing the One Identity Safeguard for Privileged Passwords desktop client Setting up Safeguard for Privileged Passwords for the first time Getting acquainted with the console Privileged access requests Toolbox Accounts Account Groups Assets Asset Groups Directories Entitlements Partitions Settings
Access Request settings Appliance settings Asset Management settings Backup and Retention settings Certificate settings Cluster settings External Integration settings Messaging settings Profile settings Access settings Sessions settings
Users User Groups Disaster recovery Administrator permissions Preparing systems for management Troubleshooting Frequently asked questions
How do I access the API How do I audit transaction activity How do I configure external federation authentication How do I manage accounts on unsupported platforms How do I modify the appliance configuration settings How do I prevent Safeguard for Privileged Passwords messages when making RDP connections How do I see which assets and/or accounts are governed by a profile How do I set the appliance system time How do I setup discovery jobs How do Safeguard for Privileged Passwords database servers use SSL What are the access request states What do I do when an appliance goes into quarantine What is required for One Identity Safeguard for Privileged Passwords Privileged Sessions What is required to integrate with Starling Identity Analytics & Risk Intelligence What needs to be set up to use Application to Application What role-based email notifications are generated by default When does the rules engine run for dynamic grouping and tagging Why did the password change during an open request Why join Safeguard for Privileged Passwords to One Identity Starling
Safeguard Desktop Player Appendix: Safeguard ports

Installing a sessions certificate

NOTE: If a Safeguard Sessions Appliance is joined to Safeguard for Privileged Passwords, assigning the certificate is handled via Safeguard for Privileged Sessions.

If you do not want to use the default certificate provided with Safeguard for Privileged Passwords, you can replace it with another certificate with a private key.

NOTE: For uploading certificates with private keys, Safeguard for Privileged Passwords supports .pfx ( or .p12) files which follow the PKCS #12 standard.

To install a session certificate

  1. Navigate to Administrative Tools | Settings | Certificates | Sessions Certificates.
  2. Click (or tap) the Add Certificate button for the sessions certificate to be replaced. Select the appropriate option:

    • Install Certificate generated from CSR
    • Install Certificate with Private Key
  3. Browse to select the certificate file (.pfx file) and click (or tap) OK.
  4. Once installed, this new certificate will replace the default certificate listed on the Sessions Certificates pane.

Creating a Certificate Signing Request for Sessions

NOTE: If a Safeguard Sessions Appliance is joined to Safeguard for Privileged Passwords, assigning the certificate is handled via Safeguard for Privileged Sessions.

If you do not want to use a default sessions certificate provided with Safeguard for Privileged Passwords, you can enroll a certificate using a Certificate Signing Request (CSR) to replace the default certificate.

To create a CSR for a sessions certificate

  1. Navigate to Administrative Tools | Settings | Certificates | Sessions Certificates.
  2. Click (or tap) the Add Certificate button for the certificate to be replaced and select Create Certificate Signing Request (CSR).
  3. In the Certificate Signing Request dialog, enter the following information:
    1. Subject (Distinguished Name): Enter the distinguished name of the person or entity to whom the certificate is being issued. Maximum length of 500 characters.

      Note: Click (or tap) Use Distinguished Name Creator to create the distinguished name based on fully-qualified domain name, department, organization unit, locality, state/county/region, and country.

    2. Alternate DNS Names: Optionally, enter additional or alternate host names (such as, IP addresses, sites, common names) that are to be protected by this certificate.
    3. Key Size: Select the bit length of the private key pair:

      • 1024
      • 2048 (default)
      • 4096

      NOTE: The bit length determines the security level of the certificate. A higher bit length means stronger security.

  4. Click (or tap) OK to save your selections and enroll the certificate.

    Certificates enrolled via CSR are listed in the Certificate Signing Request pane.

Resetting to use default certificate

NOTE: If a Safeguard Sessions Appliance is joined to Safeguard for Privileged Passwords, assigning the certificate is handled via Safeguard for Privileged Sessions.

If you have uploaded and replaced a default sessions certificate, you can reset this user-supplied certificate to use the default certificate provided with Safeguard for Privileged Passwords.

To reset a certificate back to the default sessions certificate:

  1. Navigate to Administrative Tools | Settings | Certificates | Sessions Certificates.
  2. Click (or tap) Use Default for the certificate that is to be reset to use the default certificate.
  3. In the Use Default confirmation dialog, enter the word default and click (or tap) OK.

    Once installed, the default certificate will display in the Sessions Certificates pane and be used by the Privileged Sessions module.

SSL Certificates

Safeguard for Privileged Passwords enables an Appliance Administrator to upload SSL certificates with private keys or enroll SSL certificates via a CSR.

NOTE: Initially, the default self-signed SSL certificate used for HTTPS is listed and assigned to the appliance. This default certificate is not a trusted certificate and should be replaced.

Navigate to Administrative Tools | Settings | Certificates | SSL Certificates. The SSL Certificates pane displays the following information for the SSL certificates stored in the database.

Table 175: SSL Certificates: Properties
Property Description
Appliances

Lists the name of the appliance to which the certificate is assigned.

Subject

The name of the subject (such as user, program, computer, service or other entity) assigned to the certificate when it was requested.

Alternate DNS Names

Additional or alternate host names (such as, IP addresses, sites, common names) that were specified when the certificate was requested.

NOTE: For the default self-signed SSL certificate, the name and IP address of the appliance is used.

Invalid Before

A "start" date and time that must be met before a certificate can be used.

Expiration Date

The date and time when the certificate expires and can no longer be used.

Thumbprint

A unique hash value that identifies the certificate.

Issued By

The name of the certificate authority (CA) that issued the certificate.

Use these toolbar buttons to manage SSL certificates.

Table 176: SSL Certificates: Toolbar
Option Description
Add Certificate | Upload Certificate

Upload an SSL certificate.

For more information, see Installing an SSL certificate.

Add Certificate | Create Certificate Signing Request (CSR)

Create a CSR to enroll a certificate.

For more information, see Creating a Certificate Signing Request.

Assign Certificate to Appliance(s)

Assign the selected certificate to one or more appliances.

For more information, see Assigning a certificate to appliances.

Unassign Certificate

Unassign the selected certificate from one or more appliances.

Delete Selected

Delete the selected certificate from Safeguard for Privileged Passwords.

Refresh

Update the list of SSL certificates available (uploaded to Safeguard for Privileged Passwords).

Related Documents