Chat now with support
Chat with Support

One Identity Safeguard for Privileged Passwords 2.5 - Administration Guide

Introduction System requirements Installing the One Identity Safeguard for Privileged Passwords desktop client Setting up Safeguard for Privileged Passwords for the first time Getting acquainted with the console Privileged access requests Toolbox Accounts Account Groups Assets Asset Groups Directories Entitlements Partitions Settings
Access Request settings Appliance settings Asset Management settings Backup and Retention settings Certificate settings Cluster settings External Integration settings Messaging settings Profile settings Access settings Sessions settings
Users User Groups Disaster recovery and clusters Administrator permissions Preparing systems for management Troubleshooting Frequently asked questions
How do I access the API How do I audit transaction activity How do I configure external federation authentication How do I manage accounts on unsupported platforms How do I modify the appliance configuration settings How do I prevent Safeguard for Privileged Passwords messages when making RDP connections How do I see which assets and/or accounts are governed by a profile How do I set the appliance system time How do I setup discovery jobs How do Safeguard for Privileged Passwords database servers use SSL What are the access request states What do I do when an appliance goes into quarantine What is required for One Identity Safeguard for Privileged Passwords, embedded sessions module What is required to integrate with Starling Identity Analytics & Risk Intelligence What needs to be set up to use Application to Application What role-based email notifications are generated by default When does the rules engine run for dynamic grouping and tagging Why did the password change during an open request Why join Safeguard for Privileged Passwords to One Identity Starling
Safeguard Desktop Player Appendix: Safeguard ports

Unjoining replicas from a cluster

Safeguard for Privileged Passwords allows the Appliance Administrator to unjoin replica appliances from a cluster. Prior to unjoining a replica from a Safeguard for Privileged Passwords cluster, review the unjoin considerations which follow.

Considerations to unjoin cluster members

  • You can only unjoin replica appliances from a cluster.

  • To promote a replica to be the new primary and then unjoin the 'old' primary appliance, you can use the Failover option if the cluster has consensus (the majority of the appliances are online and able to communicate). For more information, see Failing over to a replica by promoting it to be the new primary. If the cluster does not have consensus, use the Cluster Reset option to rebuild your cluster. For more information, see Resetting a cluster that has lost consensus.
  • To perform an unjoin operation, the replica appliance to be unjoined can be in any state; however, the remaining appliances in the cluster must achieve consensus (online and able to communicate).
  • You can unjoin a replica appliance when logged into any appliance in the cluster that is online using an account with Appliance Administrator permissions.
  • When you unjoin a replica appliance from a cluster, the appliance is removed from the cluster as a stand-alone appliance that retains all of the data and security policy configuration information it contained prior to being unjoined. After the replica is unjoined, the appliance is placed in a Read-only mode with the functionality identified in Read-only mode functionality. You can activate an appliance in Read-only mode so you can add, delete and modify data, apply access request workflow, and so on. For more information, see Activating a read-only appliance.

To unjoin a replica from a cluster

  1. Log into an appliance in the cluster, as an Appliance Administrator.
  2. In Administrative Tools, navigate to Settings | Cluster | Cluster Management.
  3. In the cluster view (left pane), select the replica node to be unjoined from the cluster.
  4. In the details view (right pane), click Unjoin.
  5. In the Unjoin confirmation dialog, enter the word Unjoin and click OK to proceed.

    Safeguard for Privileged Passwords displays (synchronizing icon) and (lock icon) next to the appliance it is unjoining and puts the replica appliance in Maintenance mode while it is unjoining from the cluster.

    Once the operation has completed, the replica appliance no longer appears in the cluster view (left pane).

NOTE: If you log into the replica appliance using the desktop client while Safeguard for Privileged Passwords is processing an unjoin operation, you will see the Maintenance mode screen. At the end of the Maintenance mode, you will see a Restart Desktop Client button indicating that the unjoin operation completed successfully.

Maintaining and diagnosing cluster members

When a node is selected in the Cluster view (left pane) of the Cluster settings page, the appliance details and cluster health view (right pane) displays details about the selected appliance. From this pane you can run the following maintenance and diagnostic tasks against the selected appliance.

Table 251: Cluster health toolbar buttons
Option Description

Unjoin

Click Unjoin to remove a replica from the cluster. For more information, see Unjoining replicas from a cluster.

Failover

Click Failover to promote a replica to the primary appliance. For more information, see Failing over to a replica by promoting it to be the new primary.

Activate

Click Activate to activate a Read-only appliance so it can add, modify and delete data. For more information, see Activating a read-only appliance.

CAUTION: Activating an appliance that is in Read-Only mode will take it out of the Read-only state and enable password check and change for managed accounts. Ensure that no other Safeguard for Privileged Passwords Appliance is actively monitoring these accounts, otherwise access to managed accounts could be lost.

Diagnose

Click Diagnose to open the Diagnostics pane where you can perform the following:

Check Health

Click Check Health to capture and display the current state of the selected appliance.

Restart

Click Restart to restart the selected appliance.

Confirm your intentions by entering a Reason and clicking Restart.

To fix more serious issues with a cluster, you can perform additional operations depending on the state of the cluster members. Some such operations include:

Enable offline workflow

To ensure password consistency and individual accountability for privileged accounts, when an appliance loses consensus in the cluster access requests are disabled. In the event of an extended network partition, the Appliance Administrator can manually place an appliance in Offline Workflow mode to run access request workflow on that appliance in isolation from the rest of the cluster. When the network issues are resolved and connectivity is reestablished, the Appliance Administrator can manually resume online operations to merge audit logs, drop any in flight access requests, and return the appliance to full participation in the cluster.

It is recommended that no changes to cluster membership are made while an appliance is in Offline Workflow mode. The Appliance Administrator must manually restore the online operations before adding other nodes to ensure the appliance can seamlessly reintegrate with the cluster.

Offline workflow considerations

In Offline Workflow mode an appliance functions apart from the other members of the cluster. Users can request passwords and sessions.

Passwords in Offline Workflow mode

  • In Offline Workflow mode, the appliance is enabled to request, approve, and release passwords and sessions without a quorum using cached policy data.
  • In Offline Workflow mode, when policy requires change after check-in, the requirement is by-passed to allow for subsequent check out. In this case, the Access Request Password Reset By-passed Event is generated, stating: An access request subsequent check out is available as password reset was by-passed.

  • Password changes will be re-scheduled and will possibly complete when network connectivity is restored even while the appliance is in Offline Workflow mode.

  • Users may still request a password from the primary or another replica on the cluster with consensus; password check and changes works as usual. The result is that passwords may get out of sync on the appliance running Offline Workflow mode. This is expected behavior and the password will remain out of sync until the partition is healed.
  • On a network partition where one or more appliances are in Offline Workflow mode, it is possible for two individuals to have the same password at the same time. Tying actions back to a single responsible individual is not possible. It will still be possible to identify each person that had access to the password at the time.

Policies in Offline Workflow mode

  • Policy will be enforced as it existed at the time the appliance, now in Offline Workflow mode, lost network connectivity to the rest of the cluster.

  • Policy requiring a password change after check-in is by-passed and subsequent check-out from the appliance in Offline Workflow mode is allowed.

  • Policy is Read-only. Therefore, update and delete configuration operations are not allowed on the appliance in Offline Workflow mode.
  • Policy changes are only allowed if directed at an online primary within the cluster. Policy changes on the online primary do not affect the appliance in Offline Workflow mode. Once the offline workflow appliance has resumed online operations the policy changes will be distributed.

Workflow in Offline Workflow mode

  • Regular work flow approval rules apply.
  • Time-based constraints and emergency access apply.

Notifications

  • The Appliance Administrator is notified when an appliance has lost consensus (quorum) via the ApplianceStateChangedEvent.

    • A primary will change from Online to PrimaryNoQuorum.
    • A replica will change from Online to one of the following:
      • ReplicaNoQuorum (connected to primary, does not have quorum)
      • ReplicaDisconnected (disconnected from primary, does not have quorum).

      • ReplicaWithQuorum (disconnected from primary, has quorum)

      For more information, see Appliance states.

  • The following events can be configured for email notifications and are written to the audit log:
    • ClusterPrimaryQuorumLostEvent

    • ClusterPrimaryQuorumRestoredEvent

    • ClusterReplicaQuorumLostEvent

    • ClusterReplicaQuorumRestoredEvent

  • All access request notifications are still generated.
  • The Notification service identifies whether access workflow is available on an appliance via the IsPasswordRequestAvailable and IsSessionsRequestAvailable properties. The following API endpoint can be used to make this determination:

    https://<hostname or IP>/service/notification/v2/Status/Availability

Audit logs in Offline Workflow mode

  • Prior to network connectivity being restored, everything that happens on the appliance running in Offline Workflow mode is only audited on that appliance.

  • The audit logs merge when network connectivity is restored between the offline member and any other member in the cluster, even while in Offline Workflow mode.
  • The audit data on any cluster member operating in Offline Workflow will be lost unless the appliance is returned to the cluster using the resume online operations steps. See To resume online operations
  • All cluster members that were capable of processing access and session requests must have network connectivity restored to the remainder of the cluster to ensure the cluster wide audit history is maintained.

Avoid modifications to the cluster configuration

  • It is recommended that no changes to cluster membership are made while an appliance is in Offline Workflow mode. The Appliance Administrator must manually resume the online operations before adding or removing other nodes to ensure the appliance can seamlessly reintegrate with the cluster.

  • The Appliance Administrator is advised to manually resume the online operations as soon as possible for individual password accountability, policy adherence, and audit integrity.

Considerations to resume online operations

  • The network partition must be corrected before resuming online operations with full functionality.
  • You can resume online operations of an appliance in Offline Workflow mode without a quorum. To resume online operations, it is highly recommended that network connectivity is restored between a majority of the cluster members, including the member in Offline Workflow mode.

  • When resuming online operations, any access requests that are in flight on the appliance that is running in Offline Workflow mode will be dropped.

  • While it is possible to resume online operations if the appliance is not connected, making access requests will no longer be available.

To enable offline workflow

  1. Navigate to Administrative Tools | Settings | Cluster | Cluster Management.

  2. In the cluster view (left pane) of the offline appliance, click the member of the cluster that is offline.
  3. In the appliance details and cluster health pane (right pane), review the errors and warnings to verify the appliance has lost consensus.

  4. On the offline appliance, click Enable Offline Workflow.

    NOTE: This option is only available when the appliance has lost consensus with the cluster.

    A message like the following displays:

    This appliance will run access workflow in isolation from the cluster to work around loss of consensus with the cluster. Users will be able to request, approve and release passwords and sessions via this appliance using cached data. When connectivity is restored, you should resume online operations to reintegrate this appliance with the cluster and merge audit logs.

    Type 'Enable Offline Workflow' in the box below to confirm.

    See KB263580 for more information.

  5. In the dialog box, type in Enable Offline Workflow and click Enter. The appliance is in Offline Workflow mode and enters maintenance. In the Activity Center, the Event for the appliance goes from Enable Offline Workflow Started to Enable Offline Workflow Completed.
  6. You can verify that new requests are enabled and view the following health checks on the Cluster Management window:
    • If there is communication to the other members in the cluster, while connected to the member in Offline Worflow mode, a message like this displays at the top of the messages: Cluster connectivity detected. When communication is reestablished, you can manually resume online operations to the appliance.
    • A warning icon displays next to an appliance in Offline Workflow mode. An error icon is displayed if viewed from any other member in the cluster if the member is unable to communicate with the member in Offline Workflow mode. At any time, you can click Check Health to update the information.
    • A warning message like the following will display: Request Workflow: Access workflow on this appliance is operating in offline isolation from the cluster. This warning will persist until online operations are resumed by an Appliance Administrator.

To resume online operations

Before resuming online operations, see Considerations to resume online operations.

  1. Navigate to Administrative Tools | Settings | Cluster | Cluster Management.

  2. In the cluster view (left pane), click the member of the cluster that is offline.
  3. On the appliance in Offline Workflow mode, click Resume Online Operations.

    NOTE: This option is only available when the appliance is in Offline Workflow mode.

    A message like the following displays:

    The appliance will be reconfigured for online operations. The appliance will attempt to reintegrate with the cluster and merge audit logs. Refer to the to the Admin Guide for more information.

    Type 'Resume Online Operations' in the box below to confirm.

  4. In the dialog box, type in Resume Online Operations and click Enter.
  5. When maintenance is complete, click Restart Desktop Client. The appliance is returned to Maintenance mode.
  6. You can verify health checks on the Cluster Management window. If a warning icon still displays next to the appliance, select the appliance and click Check Health to re-run the cluster health check and display the most up-to-date health information.

Failing over to a replica by promoting it to be the new primary

Safeguard for Privileged Passwords allows you to failover to a replica appliance by promoting it to be the new primary.

NOTE: You can promote a replica to be the new primary anytime the cluster has consensus (that is, the majority of the cluster nodes are online and able to communicate). If you have a quorum failure (that is, the majority of the cluster members do not achieve consensus), you must perform a cluster reset instead. For more information, see Resetting a cluster that has lost consensus.

To promote a replica to be the new primary in a cluster

  1. Log into a healthy cluster member as an Appliance Administrator.
  2. In Administrative Tools, select Settings | Cluster | Cluster Management.
  3. In the cluster view (left pane), select the replica node that is to become the new primary.
  4. In the details view (right pane), click Failover.
  5. In the Failover confirmation dialog, enter the word Failover and click OK to proceed.

    During the failover operation, all of the appliances in the cluster are placed in Maintenance mode.

    Once the failover operation completes, the selected replica appliance appears as the primary with a state of online. All other appliances (including the "old" primary) in the cluster appear as replicas with a state of online.

Related Documents