Chat now with support

Get Live Help
Complete Registration

Sign In

Request Pricing

Contact Sales

One Identity Safeguard for Privileged Sessions 6.0.11 - Administration Guide

Table of Contents

Summary of changes

The major benefits of One Identity Safeguard for Privileged Sessions (SPS) Application areas

The concepts of One Identity Safeguard for Privileged Sessions (SPS)

The philosophy of One Identity Safeguard for Privileged Sessions (SPS) Policies Credential Stores Plugin framework Indexing Supported protocols and client applications

HTTP Secure Shell Protocol Remote Desktop Protocol ICA Telnet Remote Desktop Gateway Server Protocol (RDGSP) Virtual Network Computing VMware Horizon View

Modes of operation

Transparent mode Single-interface transparent mode Non-transparent mode Inband destination selection

Connecting to a server through One Identity Safeguard for Privileged Sessions (SPS)

Connecting to a server through One Identity Safeguard for Privileged Sessions (SPS) using SSH Connecting to a server through One Identity Safeguard for Privileged Sessions (SPS) using RDP Connecting to a server through One Identity Safeguard for Privileged Sessions (SPS) using an RD Gateway

Archive and backup concepts

Configuration export System backup Connection backup Connection archive Support bundle Debug logs Connection logs Core dump files

Maximizing the scope of auditing IPv6 in One Identity Safeguard for Privileged Sessions (SPS) SSH hostkeys Authenticating clients using public-key authentication in SSH The gateway authentication process Four-eyes authorization Network interfaces High Availability support in One Identity Safeguard for Privileged Sessions (SPS)

Firmware and high availability

Versions and releases of One Identity Safeguard for Privileged Sessions (SPS) Accessing and configuring One Identity Safeguard for Privileged Sessions (SPS)

Cloud deployment considerations

AWS deployment Azure deployment

Limitations Prerequisites High Availability and redundancy in Microsoft Azure

Redundancy High Availability

The Welcome Wizard and the first login

The initial connection to One Identity Safeguard for Privileged Sessions (SPS)

Creating an alias IP address (Microsoft Windows) Creating an alias IP address (Linux) Modifying the IP address of One Identity Safeguard for Privileged Sessions (SPS) Accessing the Welcome Wizard from a non-standard interface

Configuring One Identity Safeguard for Privileged Sessions (SPS) with the Welcome Wizard Logging in to One Identity Safeguard for Privileged Sessions (SPS) and configuring the first connection

Supported web browsers and operating systems The structure of the web interface

Elements of the main workspace Multiple users and locking Web interface timeout Preferences

Network settings

Configuring user and administrator login addresses Managing logical interfaces Routing uncontrolled traffic between logical interfaces Configuring the routing table

Configuring date and time System logging, SNMP and e-mail alerts

Configuring system logging Configuring e-mail alerts Configuring SNMP alerts Querying SPS status information using agents Customize system logging in One Identity Safeguard for Privileged Sessions (SPS)

Configuring system monitoring on SPS

Configuring monitoring Health monitoring Preventing disk space fill-up System related traps Traffic related traps

Data and configuration backups

Creating a backup policy using Rsync over SSH Creating a backup policy using SMB/CIFS Creating a backup policy using NFS Creating configuration backups Creating data backups Encrypting configuration backups with GPG

Archiving and cleanup

Creating a cleanup policy Creating an archive policy using SMB/CIFS Creating an archive policy using NFS Archiving or cleaning up the collected data

Forwarding data to third-party systems

Using the Splunk forwarder Universal SIEM Forwarder

Message types forwarded to SIEMs Message format forwarded to SIEMs

CEF JSON JSON-CIM CEF messages JSON messages JSON_CIM messages

Joining to One Identity Starling

Joining SPS to One Identity Starling with Credential String Unjoining SPS from One Identity Starling

User management and access control

Managing One Identity Safeguard for Privileged Sessions (SPS) users locally

Creating local users in One Identity Safeguard for Privileged Sessions (SPS) Deleting a local user from One Identity Safeguard for Privileged Sessions (SPS)

Setting password policies for local users Managing local usergroups Managing One Identity Safeguard for Privileged Sessions (SPS) users from an LDAP database Authenticating users to a RADIUS server Authenticating users with X.509 certificates Managing user rights and usergroups

Assigning privileges to usergroups for the One Identity Safeguard for Privileged Sessions (SPS) web interface Modifying group privileges Finding specific usergroups Using usergroups Built-in usergroups of One Identity Safeguard for Privileged Sessions (SPS)

Listing and searching configuration changes

Using the internal search interface

Filtering Exporting the results Customizing columns of the internal search interface

Displaying the privileges of users and user groups

Managing One Identity Safeguard for Privileged Sessions (SPS)

Controlling One Identity Safeguard for Privileged Sessions (SPS): reboot, shutdown

Disabling controlled traffic Disabling controlled traffic permanently

Managing Safeguard for Privileged Sessions (SPS) clusters

Cluster roles Enabling cluster management Building a cluster Assigning roles to nodes in your cluster Configuration synchronization across nodes in a cluster

Configuration synchronization and SSH keys Using a configuration synchronization plugin

Monitoring the status of nodes in your cluster Updating the IP address of a node in a cluster Managing a cluster with configuration synchronization without central search Managing a cluster with central search configuration and configuration synchronization

Managing a high availability One Identity Safeguard for Privileged Sessions (SPS) cluster

HA cluster configuration and management options Adjusting the synchronization speed Redundant heartbeat interfaces Next-hop router monitoring

Upgrading One Identity Safeguard for Privileged Sessions (SPS)

Upgrade checklist Upgrading One Identity Safeguard for Privileged Sessions (SPS) (single node) Upgrading a high availability One Identity Safeguard for Privileged Sessions (SPS) cluster Troubleshooting Exporting the configuration of One Identity Safeguard for Privileged Sessions (SPS) Importing the configuration of One Identity Safeguard for Privileged Sessions (SPS)

Managing the One Identity Safeguard for Privileged Sessions (SPS) license

Updating the SPS license

Accessing the One Identity Safeguard for Privileged Sessions (SPS) console

Using the console menu of One Identity Safeguard for Privileged Sessions (SPS) Enabling SSH access to the One Identity Safeguard for Privileged Sessions (SPS) host Changing the root password of One Identity Safeguard for Privileged Sessions (SPS) Firmware update using SSH Exporting and importing the configuration of One Identity Safeguard for Privileged Sessions (SPS) using the console

Disabling sealed mode

Out-of-band management of One Identity Safeguard for Privileged Sessions (SPS)

Configuring the IPMI from the console Configuring the IPMI from the BIOS

Managing the certificates used on One Identity Safeguard for Privileged Sessions (SPS)

Generating certificates for One Identity Safeguard for Privileged Sessions (SPS) Uploading external certificates to One Identity Safeguard for Privileged Sessions (SPS) Generating TSA certificate with Windows Certificate Authority on Windows Server 2008 Generating TSA certificate with Windows Certificate Authority on Windows Server 2012

General connection settings

Configuring connections Modifying the destination address Configuring inband destination selection Modifying the source address Creating and editing channel policies Real-time content monitoring with Content Policies

Creating a new content policy

Configuring time policies Creating and editing user lists Authenticating users to an LDAP server Audit policies

Encrypting audit trails Timestamping audit trails with built-in timestamping service Timestamping audit trails with external timestamping service Digitally signing audit trails

Verifying certificates with Certificate Authorities Signing certificates on-the-fly

Creating an external Signing CA

Creating a Local User Database Configuring cleanup for the One Identity Safeguard for Privileged Sessions (SPS) connection database

HTTP-specific settings

Limitations in handling HTTP connections Authentication in HTTP and HTTPS Creating a new HTTP authentication policy Setting up HTTP connections

Setting up a transparent HTTP connection Enabling One Identity Safeguard for Privileged Sessions (SPS) to act as a HTTP proxy Enabling TLS encryption in HTTP Configuring half-sided SSL encryption in HTTP

Session-handling in HTTP Creating and editing protocol-level HTTP settings

ICA-specific settings

Setting up ICA connections Supported ICA channel types Creating and editing protocol-level ICA settings One Identity Safeguard for Privileged Sessions (SPS) deployment scenarios in a Citrix environment Troubleshooting Citrix-related problems

RDP-specific settings

Supported RDP channel types Creating and editing protocol-level RDP settings Network Level Authentication (NLA) with One Identity Safeguard for Privileged Sessions (SPS)

Network Level Authentication (NLA) with domain membership Using One Identity Safeguard for Privileged Sessions (SPS) across multiple domains Network Level Authentication without domain membership

Verifying the certificate of the RDP server in encrypted connections Enabling TLS-encryption for RDP connections Using One Identity Safeguard for Privileged Sessions (SPS) as a Remote Desktop Gateway Configuring Remote Desktop clients for gateway authentication Inband destination selection in RDP connections Usernames in RDP connections Saving login credentials for RDP on Windows Configuring RemoteApps Configuring SPS to enable exporting files from audit trails after RDP file transfer via clipboard

SSH-specific settings

Setting the SSH host keys of the connection Supported SSH channel types Authentication Policies

Creating a new authentication policy Client-side authentication settings

Local client-side authentication

Relayed authentication methods Configuring your Kerberos environment Kerberos authentication settings

Server host keys

Automatically adding the host keys of a server to One Identity Safeguard for Privileged Sessions (SPS) Manually adding the host key of a server

Creating and editing protocol-level SSH settings Supported encryption algorithms

Telnet-specific settings

Enabling TLS-encryption for Telnet connections Creating a new Telnet authentication policy Extracting username from Telnet connections Creating and editing protocol-level Telnet settings Inband destination selection in Telnet connections Limitations of using TN5250 protocol with IBM iSeries Access for Windows

VMware Horizon View connections

One Identity Safeguard for Privileged Sessions (SPS) deployment scenarios in a VMware environment

VNC-specific settings

Enabling TLS-encryption for VNC connections Creating and editing protocol-level VNC settings

Indexing audit trails

Configuring the internal indexer Configuring external indexers

Prerequisites and limitations Hardware requirements for the external indexer host Configuring One Identity Safeguard for Privileged Sessions (SPS) to use external indexers Installing the external indexer Configuring the external indexer Uploading decryption keys to the external indexer Configuring a hardware security module (HSM) or smart card to integrate with external indexer

Setting up and testing the environment Encrypting a PKCS#11 PIN Starting and restarting the external-indexer service when using a custom password for PKCS#11 PIN encryption Configuring SoftHSM Configuring AWS CloudHSM Configuring a smart card

Customizing the indexing of HTTP traffic Starting the external indexer Disabling indexing on One Identity Safeguard for Privileged Sessions (SPS) Managing the indexers Upgrading the external indexer Troubleshooting external indexers

Monitoring the status of the indexer services HTTP indexer configuration format

HTTP indexer configuration options

Using the Search interface

Search Permissions Specifying time ranges Using search filters

List of available search filters

Searching in the contents of audit trails Displaying statistics on search results Analyzing data using One Identity Safeguard for Privileged Analytics The search and filter process Viewing session details Replaying audit trails in your browser Replaying encrypted audit trails in your browser Creating report subchapters from search queries

Creating search-based report subchapters from search results Creating search-based report subchapters from scratch

Search interface changes between version 5.0 and 6.0

Searching session data on a central node in a cluster Advanced authentication and authorization techniques

Configuring usermapping policies Configuring gateway authentication

Configuring out-of-band gateway authentication Performing out-of-band gateway authentication on One Identity Safeguard for Privileged Sessions (SPS) Performing inband gateway authentication in SSH and Telnet connections Performing inband gateway authentication in RDP connections Troubleshooting gateway authentication

Configuring four-eyes authorization

Configuring four-eyes authorization Performing four-eyes authorization on One Identity Safeguard for Privileged Sessions (SPS)

Using credential stores for server-side authentication

Configuring local Credential Stores Performing gateway authentication to RDP servers using local Credential Store and NLA Configuring password-protected Credential Stores Unlocking Credential Stores Using a custom Credential Store plugin to authenticate on the target hosts

Integrating external authentication and authorization systems

How Authentication and Authorization plugins work Using a custom Authentication and Authorization plugin to authenticate on the target hosts Performing authentication with AA plugin in terminal connections Performing authentication with AA plugin in Remote Desktop connections Integrating ticketing systems

Performing authentication with ticketing integration in terminal connections Performing authentication with ticketing integration in Remote Desktop connections

Creating a custom plugin Plugin troubleshooting

Contents of the operational reports Configuring custom reports Creating reports from audit trail content Creating report subchapters from search queries

Creating search-based report subchapters from search results Creating search-based report subchapters from scratch

Creating statistics from custom database queries Database tables available for custom queries

The alerting table The aps table The archives table The audit_trail_downloads table The channels table The closed_connection_audit_channels view The closed_not_indexed_audit_channels view The connection_events view The connection_occurrences view The connections view The events table The file_xfer table The http_req_resp_pair table The indexer_jobs table The occurrences table The progresses table The results table The skipped_connections table The usermapped_channels view Querying trail content with the lucene-search function

Generating partial reports Creating PCI DSS reports Contents of PCI DSS reports

The One Identity Safeguard for Privileged Sessions (SPS) RPC API

Requirements for using the RPC API RPC client requirements Locking One Identity Safeguard for Privileged Sessions (SPS) configuration from the RPC API Documentation of the RPC API Enabling RPC API access to One Identity Safeguard for Privileged Sessions (SPS)

The One Identity Safeguard for Privileged Sessions (SPS) REST API One Identity Safeguard for Privileged Sessions (SPS) scenarios

Configuring public-key authentication on One Identity Safeguard for Privileged Sessions (SPS)

Configuring public-key authentication using local keys Configuring public-key authentication using an LDAP server and a fixed key Configuring public-key authentication using an LDAP server and generated keys

Organizing connections in non-transparent mode

Organizing connections based on port numbers Organizing connections based on alias IP addresses

Using inband destination selection in SSH connections

Using inband destination selection with PuTTY Using inband destination selection with OpenSSH Using inband selection and nonstandard ports with PuTTY Using inband selection and nonstandard ports with OpenSSH Using inband destination selection and gateway authentication with PuTTY Using inband destination selection and gateway authentication with OpenSSH

SSH usermapping and keymapping in AD with public key

Troubleshooting One Identity Safeguard for Privileged Sessions (SPS)

Network troubleshooting Gathering data about system problems Viewing logs on One Identity Safeguard for Privileged Sessions (SPS) Changing log verbosity level of One Identity Safeguard for Privileged Sessions (SPS) Collecting logs and system information for error reporting Support hotfixes Status history and statistics

Connection statistics Memory Disk CPU Network connections Interface Load average Number of processes Displaying custom connection statistics

Troubleshooting a One Identity Safeguard for Privileged Sessions (SPS) cluster

Understanding One Identity Safeguard for Privileged Sessions (SPS) cluster statuses Recovering One Identity Safeguard for Privileged Sessions (SPS) if both nodes broke down Recovering from a split brain situation Replacing a HA node in a One Identity Safeguard for Privileged Sessions (SPS) cluster Resolving an IP conflict between cluster nodes

Understanding One Identity Safeguard for Privileged Sessions (SPS) RAID status Restoring One Identity Safeguard for Privileged Sessions (SPS) configuration and data VNC is not working with TLS Configuring the IPMI from the BIOS after losing IPMI password Incomplete TSA response received Using UPN usernames in audited SSH connections

Using SPS with SPP

Configuring the Passwords-initiated workflow

Configuring SPP for Passwords-initiated workflow

Joining SPS to SPP Troubleshooting the SPS to SPP join

Configuring external devices

Configuring advanced routing on Linux Configuring advanced routing on Cisco routers Configuring advanced routing on Sophos UTM (formerly Astaro Security Gateway) firewalls

Using SCP with agent-forwarding Security checklist for configuring One Identity Safeguard for Privileged Sessions (SPS)

Encryption-related settings Connection policies Appliance access Networking considerations

Jumplists for in-product help

Basic Settings > Management Basic Settings > Local Services Basic Settings > System <Protocol name> Control > Global Options

LDAP user and group resolution in SPS

Overview Common to all backends POSIX LDAP backend Active Directory LDAP backend

Appendix: Deprecated features

Deprecated: Using the Search (classic) interface

Searching audit trails: the One Identity Safeguard for Privileged Sessions (SPS) connection database

Connection details Replaying audit trails in your browser in Search (classic) Replaying encrypted audit trails in your browser Using the content search Connection metadata Using and managing search filters

Creating and saving filters for later use

The search and filter process

Displaying statistics on search results

Authenticating users with X.509 certificates

User management and access control > Authenticating users with X.509 certificates

One Identity Safeguard for Privileged Sessions (SPS) provides a method to authenticate the users of the web interface with X.509 client certificates. The client certificate is validated against a CA list, and the username is exported from the client certificate for identification. One Identity recommends using 2048-bit RSA keys (or stronger).

To authenticate SPS users on the SPS web interface with X.509 client certificates, complete the following steps.

Prerequisites

You will have to upload the CA certificates that issued the certificates of the users, so this CA certificate must be available on your computer in PEM format.
The certificates of the users must contain the username used to authenticate on SPS. You must know which certificate field will contain the usernames (for example, CN or UID).
The certificates must be imported into the browsers of the users. SPS offers the possibility to authenticate with a certificate only if a personal certificate is available in the browser.

Figure 73: Policies > Trusted CA Lists — Creating Trusted CA lists

To authenticate users with X.509 certificates

Navigate to Policies > Trusted CA Lists and create a Trusted CA List.
If the user certificates contain the username in the Common Name field, make sure that the Strict Hostname Check is disabled.
Upload the CA certificate.
Adjust other settings as needed. For details on creating a trusted CA list, see Verifying certificates with Certificate Authorities.
Click .
Navigate to AAA > Settings > Authentication settings.

Figure 74: AAA > Settings > Authentication settings — Configuring X.509 authentication
Select X.509.
Select the trusted CA list created in the first step in Authentication CA.
Select which field of the user certificate contains the username in the Parse username from field. In most cases, it is the commonName or userid field, but SPS supports the emailAddress and userPrincipalName fields as well.
To allow the admin user to be able to log in without using X.509 authorization, select Enable fallback for admin. This will fallback to password authentication.
Click .

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating

© ALL RIGHTS RESERVED. Feedback Terms of Use Privacy Cookie Preference Center