Chat now with support
Chat with Support

One Identity Safeguard for Privileged Passwords 2.4 - Administration Guide

Introduction System requirements Installing the One Identity Safeguard for Privileged Passwords desktop client Setting up Safeguard for Privileged Passwords for the first time Getting acquainted with the console Privileged access requests Toolbox Accounts Account Groups Assets Asset Groups Directories Entitlements Partitions Settings
Access Request settings Appliance settings Asset Management settings Backup and Retention settings Certificate settings Cluster settings External Integration settings Messaging settings Profile settings Access settings Sessions settings
Users User Groups Disaster recovery Administrator permissions Preparing systems for management Troubleshooting Frequently asked questions
How do I access the API How do I audit transaction activity How do I configure external federation authentication How do I manage accounts on unsupported platforms How do I modify the appliance configuration settings How do I prevent Safeguard for Privileged Passwords messages when making RDP connections How do I see which assets and/or accounts are governed by a profile How do I set the appliance system time How do I setup discovery jobs How do Safeguard for Privileged Passwords database servers use SSL What are the access request states What do I do when an appliance goes into quarantine What is required for One Identity Safeguard for Privileged Passwords Privileged Sessions What is required to integrate with Starling Identity Analytics & Risk Intelligence What needs to be set up to use Application to Application What role-based email notifications are generated by default When does the rules engine run for dynamic grouping and tagging Why did the password change during an open request Why join Safeguard for Privileged Passwords to One Identity Starling
Safeguard Desktop Player Appendix: Safeguard ports

Assigning an archive server to an appliance

NOTE: If a Safeguard Sessions Appliance is joined to Safeguard for Privileged Passwords, session recording is handled via Safeguard for Privileged Session.

It is recommended that you assign an archive server to each appliance in your Safeguard for Privileged Passwords deployment to store that appliance's session recordings. This best practice will prevent you from filling up the appliance's local disk space.

IMPORTANT: Clustered environment: It is highly recommended that you assign an archive server to at least the primary appliance in a clustered environment. You may also want to consider assigning an archive server to each individual appliance in the cluster.

If a replica in the cluster does not have an archive server assigned to it for its session recordings, the primary appliance will act as a proxy for archiving any recordings for that replica. If the primary appliance does not have an archive server assigned for session recordings, the following will happen:

  • Any recorded session produced by the primary appliance will remain on the primary appliance.
  • All recorded sessions produced by any replica in the cluster without an assigned archive server will also remain on the primary appliance.
  • Each of these recordings will be replicated to every cluster member and therefore consume a lot of disk space throughout the cluster.

Therefore, in order to avoid filling up the appliances' disk space, not only on the primary appliance but also on the replica appliances, is to ensure that at least the primary appliance has an archive server assigned for storing session recordings.

To assign an archive server to an appliance

NOTE: Clustered environment: Log into the primary appliance to assign archive servers to your primary appliance and replica appliances.

  1. In Administrative Tools | Settings, select Backup and Retention | Archive Servers to configure your archive servers. For more information, see Adding an archive server.
  2. In Administrative Tools | Settings, select Sessions | Session Recordings Storage Management to assign an archive server to the appliance.

    1. Select the appliance from the grid.
    2. Click (or tap) the Assign Archive Server to Appliance toolbar button.

    The name of the target archive server will appear in the Archive Server Name column.

Sessions Module

Safeguard for Privileged Passwords has an embedded sessions module.

NOTE: If a Safeguard Sessions Appliance is joined to Safeguard for Privileged Passwords, sessions configuration is handled via Safeguard for Privileged Session.

Navigate to Administrative Tools | Settings | Sessions | Sessions Module. From the Sessions Module pane, an Appliance Administrator can view the current status of the One Identity Safeguard for Privileged Passwords Privileged Sessions module and reset the embedded sessions module.

Table 223: Sessions Module controls
Control Description
Refresh Click (or tap) to retrieve and update the session module's status.
Health Check

Click (or tap) to run and display the results of the health check run against the sessions module.

An additional pane appears, displaying results for the following:

  • HTTP: Checks whether Safeguard for Privileged Passwords can communicate with the sessions module via the internal web interface.
  • SSH: Checks whether Safeguard for Privileged Passwords can communicate with the embedded sessions module via the internal SSH channel.
  • SNMP: Checks whether Safeguard for Privileged Passwords can communicate with the embedded sessions module via the SNMP channel. It also checks whether the sessions module can report significant events back to Safeguard for Privileged Passwords via SNMP.
  • Keys: Checks whether the proper keys are in place in order for the embedded sessions module to communicate back to Safeguard for Privileged Passwords.
  • Internal: Checks whether the embedded sessions module can interact with Safeguard for Privileged Passwords once a session request has been made.

NOTE: The background of the Session Module Health pane changes colors indicating the current health of the embedded sessions module:

  • Green: All components of the embedded sessions module are healthy (OK).
  • Red: An error was encountered with at least one of the components. The error message is displayed.

Click X in the upper right corner to close the Session Module Health pane.

Module Status

Displays the current status of the Privileged Sessions module.

Reset Sessions Module

When the Privileged Sessions module is not responding and users cannot connect to their target systems, click the Reset Sessions Module button to reboot the embedded sessions module. Click (or tap) Reset Now in the Reset Sessions Module confirmation dialog.

NOTE: Resetting the embedded sessions module will terminate all active sessions.

SSH Banner

NOTE: If a Safeguard Sessions Appliance is joined to Safeguard for Privileged Passwords, sessions configuration is handled via Safeguard for Privileged Session.

It is the responsibility of the Appliance Administrator to define the banner text shown to session users when they initiate a privileged session. The SSH banner notifies session users that One Identity Safeguard for Privileged Passwords will record the current session.

Navigate to Administrative Tools | Settings | Sessions | SSH Banner.

To define the SSH banner text

  1. In Settings, select Sessions | SSH Banner.
  2. In the Banner Text box, enter the text to be displayed to session users.
  3. Click (or tap) OK to save the message.

SSH Host Key

NOTE: If a Safeguard Sessions Appliance is joined to Safeguard for Privileged Passwords, sessions configuration is handled via Safeguard for Privileged Session.

The SSH Host Key pane allows the Appliance Administrator to verify or specify the SSH host key presented to the user's SSH client whenever an SSH session is started.

Navigate to Administrative Tools | Settings | Sessions | SSH Host Key.

Table 224: SSH Host Key settings
Setting Description
Fingerprint

Displays the SSH key fingerprint identifying the host to which you are currently connected.

Set New Key

Click (or tap) Set New Key to set a new SSH private key for authenticating to an SSH session.

Generate New Key Pair

If you do not have an SSH key, click (or tap) Generate New Key Pair to generate a new SSH key to use for authentication to an SSH session.

Download Public Key

Click (or tap) Download Public Key to download a public SSH key for authenticating to an SSH session.

Related Documents