One Identity Safeguard 2.5 - Administration Guide

Introduction System requirements Installing the One Identity Safeguard for Privileged Passwords desktop client Setting up Safeguard for Privileged Passwords for the first time Getting acquainted with the console Privileged access requests Toolbox Accounts Account Groups Assets Asset Groups Directories Entitlements Partitions Settings
Access Request settings Appliance settings Asset Management settings Backup and Retention settings Certificate settings Cluster settings External Integration settings Messaging settings Profile settings Access settings Sessions settings
Users User Groups Disaster recovery and clusters Administrator permissions Preparing systems for management Troubleshooting Frequently asked questions
How do I access the API How do I audit transaction activity How do I configure external federation authentication How do I manage accounts on unsupported platforms How do I modify the appliance configuration settings How do I prevent Safeguard for Privileged Passwords messages when making RDP connections How do I see which assets and/or accounts are governed by a profile How do I set the appliance system time How do I setup discovery jobs How do Safeguard for Privileged Passwords database servers use SSL What are the access request states What do I do when an appliance goes into quarantine What is required for One Identity Safeguard for Privileged Passwords, embedded sessions module What is required to integrate with Starling Identity Analytics & Risk Intelligence What needs to be set up to use Application to Application What role-based email notifications are generated by default When does the rules engine run for dynamic grouping and tagging Why did the password change during an open request Why join Safeguard for Privileged Passwords to One Identity Starling
Safeguard Desktop Player Appendix: Safeguard ports

Adding an archive server

Use the Archive Servers page on the Backup and Retention settings view to configure archive servers, which can then be selected to archive a backup file or assigned to an appliance to store its session recordings.

To configure an archive server

  1. Navigate to Administrative Tools | Settings | Backup and Retention | Archive Servers.

  2. Click  Add Archive Server and provide the following:
    Name

    Enter the display name for the archive server.

    Limit: 100 characters

    Required

    Description

    Enter information about the archive server.

    Limit: 255 characters

    Network Address

    Enter a network DNS name or the IP address used to connect to the server over the network.

    Limit: 255 characters

    Required

    Storage Path

    Enter the file path where you want to store backup files on the archive server.

    Limit: 255 characters

    Required

    Archive Method

    Choose a transfer protocol type:

    • CIFS: Common Internet File System.
    • SCP: Secure Copy Protocol
    • SFTP: Secure File Transfer Program

    Required

    Port

    The port used by SSH to log into the managed system.

    NOTE: Not applicable for CIFS archive mode.

    Authentication Type

    Select the type of authentication to be used to access the archive server:

    • Password (default)
    • Directory Account
    • SSH

      NOTE: Not applicable for CIFS archive mode.

    SSH Key Generation and Deployment Settings

    If SSH is selected as the authentication type, select one of the following settings:

    • Automatically Generate the SSH Key
    • Install and Use SSH Key from Safeguard for Privileged Passwords

      Optionally, select Manually Deploy the SSH key check box

      Browse to select the SSH key to be used.

    Account Name

    If Password or SSH is selected as the authentication type, enter the service account name.

    Password

    If Password or SSH is selected as the authentication type, enter the service account password.

    Service Account

    If Directory Account is selected as the authentication type, click Select Account to chose the service account is be used to access the archive server.

    Auto Accept SSH Host Key

    Select this check box to have Safeguard for Privileged Passwords automatically accept the SSH host key when it creates the archive server.

    Test Connection

    Click this button to verify that the appliance can communicate with this archive server. For more information, see About Test Connection.

  3. Click OK.

Once you have configured your archive servers, you need to designate a target archive for both your backup files and session recordings.

Audit Log Management

Safeguard for Privileged Passwords allows you to define and schedule an audit log management task to purge audit logs from the Safeguard for Privileged Passwords Appliance and archive older audit logs to a designated archive server. Archiving audit logs allows you to keep critical and relevant data online and current while eliminating or archiving audit logs that are no longer required.

Navigate to Administrative Tools | Settings | Backup and Retention | Audit Log Management. Use the Audit Log Management page on the Backup and Retention settings view to define and schedule when to perform an audit log archival task.

Backup and Restore

It is the responsibility of the Appliance Administrator to manage Safeguard for Privileged Passwords backups.

NOTE: When a backup is created, the state of the sessions module is saved which can be either the embedded sessions module (SPP) or the joined sessions module (SPS). Restoring a backup restores the sessions module to the state when the backup was taken, regardless of the state when the restore was started.

Navigate to Administrative Tools | Settings | Backup and Retention | Safeguard Backup and Restore.

The Safeguard for Privileged Passwords Backup and Restore page lists this information for the backups that are currently in the database.

Table 167: Safeguard for Privileged Passwords Backup and Restore: Properties
Property Description
Date The date of the backup.
Time The time of the backup.
Progress

The status of the backup: Running or Complete.

File Size (MB) The size of the backup file in megabytes.
Appliance Name The name of the appliance.
Appliance Version The version of the Safeguard for Privileged Passwords Appliance.
User

The name of the user that created the backup.

Last Archived Date The date the selected backup ran.
Archive Server Name The name of the server on which the backup was archived.

Use these toolbar buttons to manage Safeguard for Privileged Passwords backups.

Table 168: Safeguard for Privileged Passwords Backup and Restore: Toolbar
Option Description
Run Now

Create a backup copy of the data that is currently on the appliance.

Delete

Remove the selected backup file from the Backups page and the Safeguard for Privileged Passwords database.

Refresh

Update the list of backup files on the Backups page.

Settings Where you configure an automatic backup schedule.
Download

Save the selected backup file in a location on your appliance.

Upload

Retrieve a backup file from a file location and add it to the Backups page list.

Restore

Overwrite the current data and restore Safeguard for Privileged Passwords to the selected backup.

Archive

Store a backup file on an external archive server. For more information, see Archive backup.

TIP: As a best practice, store backups on an archive server that is external from the appliance so that the backup image is available for restoration even if there is a catastrophic disk or hardware failure. Keep only a minimum number of backup files on the appliance. After you download or archive the backup files, use Delete to remove them from the desktop client application. You can set the maximum number of backup files you want Safeguard for Privileged Passwords to retain on the appliance in Backup and Retention settings.

Run Now

To create a new backup

  1. Navigate to Administrative Tools | Settings | Backup and Retention | Safeguard Backup and Restore.
  2. Click  Run Now.

    Safeguard for Privileged Passwords makes a copy of the current database.

Caution: If you restore a backup that is older than the Maximum Password Age set in the Login Control settings, all user accounts (including the bootstrap administrator) will be locked out and you will have to reset all of the user account passwords. To avoid this situation, you can reset the Maximum Password Age to zero before you perform the backup, then reset it after the restore.

TIP: As a best practice, perform backups more frequently than the Maximum Password Age setting.

Caution: Safeguard for Privileged Passwords can not restore any access request workflow events in process at the time of a backup.

Related Documents