One Identity Safeguard 2.5 - Administration Guide

Introduction System requirements Installing the One Identity Safeguard for Privileged Passwords desktop client Setting up Safeguard for Privileged Passwords for the first time Getting acquainted with the console Privileged access requests Toolbox Accounts Account Groups Assets Asset Groups Directories Entitlements Partitions Settings
Access Request settings Appliance settings Asset Management settings Backup and Retention settings Certificate settings Cluster settings External Integration settings Messaging settings Profile settings Access settings Sessions settings
Users User Groups Disaster recovery and clusters Administrator permissions Preparing systems for management Troubleshooting Frequently asked questions
How do I access the API How do I audit transaction activity How do I configure external federation authentication How do I manage accounts on unsupported platforms How do I modify the appliance configuration settings How do I prevent Safeguard for Privileged Passwords messages when making RDP connections How do I see which assets and/or accounts are governed by a profile How do I set the appliance system time How do I setup discovery jobs How do Safeguard for Privileged Passwords database servers use SSL What are the access request states What do I do when an appliance goes into quarantine What is required for One Identity Safeguard for Privileged Passwords, embedded sessions module What is required to integrate with Starling Identity Analytics & Risk Intelligence What needs to be set up to use Application to Application What role-based email notifications are generated by default When does the rules engine run for dynamic grouping and tagging Why did the password change during an open request Why join Safeguard for Privileged Passwords to One Identity Starling
Safeguard Desktop Player Appendix: Safeguard ports

Audit Log Signing Certificate

The Audit Log Signing Certificate pane on the Certificates setting page displays details about the certificate used to sign the audit log files saved to an archive server. The audit log signing certificate proves that the audit logs were created by and came from a particular Safeguard for Privileged Passwords cluster.

This signing certificate is used by administrators who want to verify that the exported Audit Log History originated from their Safeguard for Privileged Passwords cluster. This certificate's public key, in addition to the certificate's issuer, must be available if you wish to validate the signed audit log.

It is recommended to generate the CSR from within the Safeguard for Privileged Passwords user interface using the Add Certificate | Create Certificate Signing Request (CSR) option. The administrator will have a copy of the public key which will be used to verify the validity of the archived audit logs.

While Safeguard for Privileged Passwords ships a default audit log signing certificate, One Identity recommends that you load your own.

If you replace the default certificate with your own, the certificate must have the following:

  • Enhanced Key Usage extension with the Server Authentication (1.3.6.1.5.5.7.3.1) OID value.
  • Digital Signature key Usage extension with the Server Authentication (2.5.29.37.3) OID value.

You can have only one audit log signing certificate defined, which is used by all Safeguard for Privileged Passwords Appliances in the same cluster. That is, Safeguard for Privileged Passwords uses the default certificate or a certificate you uploaded to replace the default certificate.

Navigate to Administrative Tools | Settings | Certificates | Audit Log Signing Certificate. The following properties and controls are available to manage your audit log signing certificate.

Table 170: Audit Log Certificates: Properties
Properties/Controls Description
Refresh

Click Refresh to update the certificate displayed on the Audit Log Certificates pane.

Subject

The name of the subject (such as user, program, computer, service or other entity) assigned to the certificate when it was requested.

Thumbprint

A unique hash value that identifies the certificate.

Add Certificate

Click Add Certificate and select one of the following options to replace the default certificate with a new certificate:

  • Install Certificate generated from CSR
  • Install Certificate with Private Key
  • Create Certificate Signing Request (CSR)
Use Default

Click Use Default to reset the certificate back to the default.

Installing an audit log signing certificate

If you do not want to use the default certificate provided with Safeguard for Privileged Passwords, you can replace it with another certificate with a private key.

NOTE: For uploading certificates with private keys, Safeguard for Privileged Passwords supports .pfx ( or .p12) files which follow the PKCS #12 standard.

To install an audit log signing certificate

  1. Navigate to Administrative Tools | Settings | Certificates | Audit Log Signing Certificate.
  2. Click the Add Certificate button for the sessions certificate to be replaced. Select the appropriate option:

    • Install Certificate generated from CSR
    • Install Certificate with Private Key
  3. Browse to select the certificate file (.pfx file) and click OK.
  4. Once installed, this new certificate will replace the default certificate listed on the Audit Log Signing Certificates pane.

Creating a Certificate Signing Request for audit logs

If you do not want to use a default sessions certificate provided with Safeguard for Privileged Passwords, you can enroll a certificate using a Certificate Signing Request (CSR) to replace the default certificate.

To create a CSR for an audit log signing certificate

  1. Navigate to Administrative Tools | Settings | Certificates | Audit Log Signing Certificate.
  2. Click the Add Certificate button for the certificate to be replaced and select Create Certificate Signing Request (CSR).
  3. In the Certificate Signing Request dialog, enter the following information:
    1. Subject (Distinguished Name): Enter the distinguished name of the person or entity to whom the certificate is being issued. Maximum length of 500 characters.

      Note: Click Use Distinguished Name Creator to create the distinguished name based on fully-qualified domain name, department, organization unit, locality, state/county/region, and country.

    2. Alternate DNS Names: Optionally, enter additional or alternate host names (such as, IP addresses, sites, common names) that are to be protected by this certificate.
    3. Key Size: Select the bit length of the private key pair:

      • 1024
      • 2048 (default)
      • 4096

      NOTE: The bit length determines the security level of the certificate. A higher bit length means stronger security.

  4. Click OK to save your selections and enroll the certificate.

    Certificates enrolled via CSR are listed in the Certificate Signing Request pane.

Certificate Signing Request

Some certificates require a digital signature before a certification authority (CA) can process the certificate request. The Certificate Signing Request pane displays details about any certificates enrolled via Certificate Signing Requests (CSRs). From this pane, you can also delete a CSR.

NOTE: Safeguard for Privileged Passwords supports the Public-Key Cryptography Standard (PKCS) #10 format for CSRs.

Navigate to Administrative Tools | Settings | Certificates | Certificate Signing Request. Certificates enrolled via a CSR appear on this pane including the following details.

Table 171: Certificate Signing Request: Properties
Property Description
Subject

The distinguished name of the person or entity to whom the certificate is being issued.

Certificate Type

The type of certificate requested:

  • Audit Log Signing Certificate
  • RDP Connection Signing Certificate
  • Session Recording Signing Certificate
  • SSL Certificate
  • Timestamping Authority Certificate
Thumbprint A unique hash value that identifies the certificate.
Key Size The bit length of the private key pair.

Use these toolbar buttons to manage certificate signing requests.

Table 172: Certificate Signing Request: Toolbar
Option Description
Delete Selected

Delete the selected CSR from Safeguard for Privileged Passwords.

Refresh Update the list of CSRs.
Related Documents