One Identity Safeguard 2.5 - Administration Guide

Introduction System requirements Installing the One Identity Safeguard for Privileged Passwords desktop client Setting up Safeguard for Privileged Passwords for the first time Getting acquainted with the console Privileged access requests Toolbox Accounts Account Groups Assets Asset Groups Directories Entitlements Partitions Settings
Access Request settings Appliance settings Asset Management settings Backup and Retention settings Certificate settings Cluster settings External Integration settings Messaging settings Profile settings Access settings Sessions settings
Users User Groups Disaster recovery and clusters Administrator permissions Preparing systems for management Troubleshooting Frequently asked questions
How do I access the API How do I audit transaction activity How do I configure external federation authentication How do I manage accounts on unsupported platforms How do I modify the appliance configuration settings How do I prevent Safeguard for Privileged Passwords messages when making RDP connections How do I see which assets and/or accounts are governed by a profile How do I set the appliance system time How do I setup discovery jobs How do Safeguard for Privileged Passwords database servers use SSL What are the access request states What do I do when an appliance goes into quarantine What is required for One Identity Safeguard for Privileged Passwords, embedded sessions module What is required to integrate with Starling Identity Analytics & Risk Intelligence What needs to be set up to use Application to Application What role-based email notifications are generated by default When does the rules engine run for dynamic grouping and tagging Why did the password change during an open request Why join Safeguard for Privileged Passwords to One Identity Starling
Safeguard Desktop Player Appendix: Safeguard ports

Session Recordings Storage Management

NOTE:If a Safeguard Sessions Appliance is joined to Safeguard for Privileged Passwords, sessions configuration is handled via Safeguard for Privileged Session.

One Identity Safeguard for Privileged Passwords provides the ability to immediately archive session recordings from a specific Safeguard for Privileged Passwords Appliance to a specified archive target. When an archive server is configured, session recordings for that appliance are removed from the Safeguard for Privileged Passwords Appliance and stored on the archive server. Use the Session Recordings Storage Management pane to assign archive servers to your Safeguard for Privileged Passwords Appliances.

IMPORTANT: When storing session recordings locally, once the local storage reaches capacity, the oldest recordings will be deleted. When storing session recordings to an archive server, the session recording is archived to the designated server immediately upon completion. As soon as the recording is copied to the archive server, it is removed from the appliance storage.

Safeguard for Privileged Passwords allows you to play back a recording that is stored locally or on the archive server. However, if you are playing back a recording that is stored on an archive server you will need to download it before you can play it. For more information, see Replaying a session.

Navigate to Administrative Tools | Settings | Sessions | Sessions Recordings Storage Management.

Table 221: Session Recordings Storage Management: Properties
Property Description
Appliance ID

The ID assigned to an appliance.

Archive Server Name The name of the designated archive server.

Use these toolbar buttons to manage archive server configurations for session recordings.

Table 222: Session Recordings Storage Management: Toolbar
Option Description

Refresh

Update the list of designated archive servers being used to archive session recordings.

Assign Archive Server to Appliance

Specify the archive server to be associated with the selected appliance. Clicking this button displays the Archive Servers dialog allowing you to select the archive server where session recordings are to be stored for the selected appliance. For more information, see Assigning an archive server to an appliance.

Unassign Archive Server from Appliance

Unassign the specified archive server from the selected appliance.

Assigning an archive server to an appliance

NOTE: If a Safeguard Sessions Appliance is joined to Safeguard for Privileged Passwords, session recording is handled via Safeguard for Privileged Session.

It is recommended that you assign an archive server to each appliance in your Safeguard for Privileged Passwords deployment to store that appliance's session recordings. This best practice will prevent you from filling up the appliance's local disk space.

IMPORTANT: Clustered environment: It is highly recommended that you assign an archive server to at least the primary appliance in a clustered environment. You may also want to consider assigning an archive server to each individual appliance in the cluster.

If a replica in the cluster does not have an archive server assigned to it for its session recordings, the primary appliance will act as a proxy for archiving any recordings for that replica. If the primary appliance does not have an archive server assigned for session recordings, the following will happen:

  • Any recorded session produced by the primary appliance will remain on the primary appliance.
  • All recorded sessions produced by any replica in the cluster without an assigned archive server will also remain on the primary appliance.
  • Each of these recordings will be replicated to every cluster member and therefore consume a lot of disk space throughout the cluster.

Therefore, in order to avoid filling up the appliances' disk space, not only on the primary appliance but also on the replica appliances, is to ensure that at least the primary appliance has an archive server assigned for storing session recordings.

To assign an archive server to an appliance

NOTE: Clustered environment: Log into the primary appliance to assign archive servers to your primary appliance and replica appliances.

  1. In Administrative Tools | Settings | Backup and Retention | Archive Servers to configure your archive servers. For more information, see Adding an archive server.
  2. In Administrative Tools | Settings | Sessions | Session Recordings Storage Management to assign an archive server to the appliance.

    1. Select the appliance from the grid.
    2. Click the Assign Archive Server to Appliance toolbar button.

    The name of the target archive server will appear in the Archive Server Name column.

Sessions Module

Safeguard for Privileged Passwords has an embedded sessions module.

NOTE: If a Safeguard Sessions Appliance is joined to Safeguard for Privileged Passwords, sessions configuration is handled via Safeguard for Privileged Session.

Navigate to Administrative Tools | Settings | Sessions | Sessions Module. From the Sessions Module pane, an Appliance Administrator can view the current status of the One Identity Safeguard for Privileged Passwords Privileged Sessions module and reset the embedded sessions module.

Table 223: Sessions Module controls
Control Description
Refresh Click to retrieve and update the session module's status.
Health Check

Click to run and display the results of the health check run against the sessions module.

An additional pane appears, displaying results for the following:

  • HTTP: Checks whether Safeguard for Privileged Passwords can communicate with the sessions module via the internal web interface.
  • SSH: Checks whether Safeguard for Privileged Passwords can communicate with the embedded sessions module via the internal SSH channel.
  • SNMP: Checks whether Safeguard for Privileged Passwords can communicate with the embedded sessions module via the SNMP channel. It also checks whether the sessions module can report significant events back to Safeguard for Privileged Passwords via SNMP.
  • Keys: Checks whether the proper keys are in place in order for the embedded sessions module to communicate back to Safeguard for Privileged Passwords.
  • Internal: Checks whether the embedded sessions module can interact with Safeguard for Privileged Passwords once a session request has been made.

NOTE: The background of the Session Module Health pane changes colors indicating the current health of the embedded sessions module:

  • Green: All components of the embedded sessions module are healthy (OK).
  • Red: An error was encountered with at least one of the components. The error message is displayed.

Click X in the upper right corner to close the Session Module Health pane.

Module Status

Displays the current status of the Privileged Sessions module.

Reset Sessions Module

When the Privileged Sessions module is not responding and users cannot connect to their target systems, click the Reset Sessions Module button to reboot the embedded sessions module. Click Reset Now in the Reset Sessions Module confirmation dialog.

NOTE: Resetting the embedded sessions module will terminate all active sessions.

SSH Banner

NOTE: If a Safeguard Sessions Appliance is joined to Safeguard for Privileged Passwords, sessions configuration is handled via Safeguard for Privileged Session.

It is the responsibility of the Appliance Administrator to define the banner text shown to session users when they initiate a privileged session. The SSH banner notifies session users that One Identity Safeguard for Privileged Passwords will record the current session.

To define the SSH banner text

  1. Navigate to Administrative Tools | Settings | Sessions | SSH Banner.
  2. In the Banner Text box, enter the text to be displayed to session users.
  3. Click OK to save the message.
Related Documents