The Asset Administrator can link a Safeguard for Privileged Sessions (SPS) cluster to a Safeguard for Privileged Password (SPP) cluster of one appliance or more for session recording and auditing. The actual link must be between the SPP primary and the SPS cluster master. This means that the Safeguard for Privileged Sessions (SPS) cluster is aware of each node in an SPP cluster and vice-versa.
Once linked, all sessions are initiated by the SPP appliance via an access request and managed by the SPS appliance and sessions are recorded via the Sessions Appliance.
|
CAUTION: When linking your One Identity Safeguard for Privileged Sessions (SPS) deployment to your One Identity Safeguard for Privileged Passwords (SPP) deployment, ensure that the SPS and SPP versions match exactly, and keep the versions synchronized during an upgrade. For example, you can only link SPS version 6.6 to SPP version 6.6, and if you upgrade SPS to version 6.7, you must also upgrade SPP to 6.7.
Make sure that you do not mix Long Term Supported (LTS) and feature releases. For example, do not link an SPS version 6.0.1 to an SPP version 6.1. |
NOTE: If you have a single node SPS cluster where the Central Management node is also the Search Master, SPP will be unable to launch sessions. There has to be at least one SPS appliance in the cluster that is capable of recording sessions. See the SPS Administration Guide, Managing Safeguard for Privileged Sessions (SPS) clusters.
Safeguard for Privileged Passwords link guidance
Before initiating the link, review the steps and considerations in the link guidance. For more information, see SPP and SPS sessions appliance link guidance.
Pay attention to the roles assigned to the SPS nodes. The following caution is offered to avoid losing session playback from SPP.
|
CAUTION: Do not switch the role of an SPS node from the Search Local role to Search Minion role. If you do, playback of the sessions recorded while in the Search Local role may not be played back from the SPP appliance, and may only be played back via the SPS web user interface. Recordings made with the node in Search Minion role are pushed to the Search Master node and are available for download to SPP. For details about SPS nodes and roles, see the One Identity Safeguard for Privileged Sessions Administration Guide: One Identity Safeguard for Privileged Sessions - Technical Documentation. |
Standard operating procedure after the initial link
If you add another SPS cluster after the initial link, follow these standard operating procedures:
- Add link connections. See Viewing, deleting, or editing link connections later in this topic.
-
Identify the session settings on the entitlements access request policy (SPS Connection Policy which is the IP address of the cluster master). For more information, see Creating an access request policy
- Assign the managed networks. For more information, see Managed Networks.
- Enable the Session Access Enabled toggle .
If the SPS Central Management node is down
SPP continues to launch sessions on the managed hosts when the SPS Central Management node is down. However, as long as the Central Management node is down, SPP cannot validate existing policies nor can it validate the SPS cluster topology. See the Safeguard for Privileged Sessions Administration Guide, Managing a High Availability One Identity Safeguard for Privileged Sessions (SPS) cluster.
Connection deletion: soft delete versus hard delete
Depending on your goals, you can perform a soft delete or a hard delete.
Soft delete the connection
When a session connection is deleted, the connection information is soft deleted so that a relink of the same SPS appliance can reuse the same values. This approach of soft deleting and reusing the same connection values on a relink avoids "breaking" all of the Access Request Polices that referenced the previous session connection.
Hard delete the connection
A hard delete can be performed to permanently remove the session connection. This is usually only done in cases where either a relink is not desired or retaining the previous session connection values is preventing an SPS appliance from linking or relinking.
A hard delete can be performed from the API using the following steps for using PowerShell or Swagger.
Hard delete with PowerShell
The latest version of Safeguard PowerShell includes two cmdlets to perform the hard delete:
split-safeguardSessionCluster -SessionMaster <name or ID of session master>
Remove-SafeguardSessionSplitCluster -SessionMaster <name or ID of session master>
See OneIdentity/safeguard-ps.
Hard delete with Swagger
- In a browser, navigate to https://<your-ip-address>/service/core/swagger.
- Authenticate to the service using the Authorize button.
- Navigate to Cluster->GET /v3/cluster/SessionModules and click Try it out!.
- Identify if the unwanted session connection exists on the list:
- If the unwanted session connection exists in the list, then:
- Note the ID of the session connection.
- Navigate to Cluster DELETE /v3/cluster/SessionModules.
- Enter the ID.
- Click Try it out!”.
- Go to step 3.
- If the unwanted session connection does not exist in the list, then:
- Set the includeDisconnected parameter to true.
- Click Try it out!.
- If the unwanted session connection exists in the list, then go to step 4a to delete the entry a second time which will result in a hard delete.
- The process is complete and the session connection is permanently removed.
Viewing, deleting, or editing link connections
Once the link is complete, go to Session Appliances:
- web client: Navigate to Cluster > Session Appliances.
The Session Appliances pane displays the following session details.
Table 42: Session Appliances: Properties
Host Name |
The host name of the SPS appliance host cluster master. |
Managed Hosts |
Other nodes in the SPS cluster identified by the managed host name and IP address. Hover over any Warning icon to see if the Managed Host is Unavailable or Unknown. |
Network Address |
The network DNS name or IP address of the session connection. |
Connection User |
The user name for Safeguard for Privileged Passwords (SPP). Do not include spaces in the user name. |
Thumbprint |
A unique hash value that identifies the certificate. |
Description |
(optional) Descriptive text about the SPS session connection (for example, 20 on cluster - 172 primary node). |
Double-click a Host Name row to bring up the Session Module Connection dialog.
Table 43: Session Module Connection: Properties
Node ID |
The name of the Safeguard for Privileged Sessions Appliance used to authenticate the linked SPS session connection. |
Host Name |
The host name of the SPS appliance host cluster master. |
Connection Username |
The user name for Safeguard for Privileged Passwords (SPP). Do not include spaces in the user name. |
Description |
(Optional) Descriptive text about the SPS session connection (for example, 20 on cluster - 172 primary node). |
Network Address |
The network DNS name or IP address of the session connection. |
Use Host Name For Launch (not IP address) |
If checked, the connection string used to launch a session uses the host name of the SPS appliance rather than the IP address. |
Use these toolbar buttons to manage sessions.
Table 44: Sessions Management: Toolbar
Remove |
Remove the selected linked SPS session connection. For details on soft versus hard deletes, see Connection deletion: soft delete versus hard delete earlier in this topic. |
Edit |
Modify the selected linked SPS session connection Description or Network Address on the Session Module Connection dialog. |
Refresh |
Update the list of linked SPS session connections. |
Safeguard for Privileged Passwords allows you to enable or disable access request and password and SSH key management services. These settings control password or SSH key release requests, manual account password or SSH key validation, and reset tasks, as well as the automatic profile check and change tasks in Partitions. You can also enable or disable discovery tasks, directory sync, and the Audit Log Stream Service.
Services are enabled by default except for the Audit Log Stream Service.
By default, services are disabled for service accounts and for accounts and assets found as part of a discovery job. Service accounts can be modified to adhere to these schedules and discovered accounts can be activated when managed.
It is the responsibility of the Appliance Administrator to manage these settings.
Navigate to Enable or Disable Services to see the settings listed below.
- Appliance Administrators can click the Disable all enabled services button to disable all services (as long as at least one service is currently enabled). A dialog will appear asking for confirmation before disabling the services.
- Click a toggle to change a setting: toggle on and toggle off.
- Click Refresh to update the information on the page.
Table 45: Enable or Disable Services settings
Disable all enabled services |
Appliance Administrators can use this button to disable all services (as long as at least one service is currently enabled). A dialog will appear asking for confirmation before disabling the services. You will need to reenable each service individually. |
Requests |
Session Requests Enabled |
Session requests are enabled by default, indicating that authorized users can make session access requests. There is a limit of 1,000 sessions on a single access request.
Click the Session Requests toggle to disable this service so sessions can not be requested.
NOTE: When Session Requests is disabled, no new session access requests can be initiated. Depending on the access request policies that control the target asset/account, you will see a message informing you that the Session Request feature is not available.
In addition, current session access requests cannot be launched. A message appears, informing you that Session Requests is not available. For example, you may see the following message: This feature is temporarily disabled. See your appliance administrator for details. |
Password requests |
Password requests are enabled by default, indicating that authorized users can make password release requests
Click the Password requests toggle to disable this service so passwords can not be requested.
NOTE: Disabling the password request service will place any open requests on hold until this service is reenabled. |
SSH Key requests |
SSH key requests are enabled by default, indicating that authorized users can make SSH key release requests
Click the SSH Key requests toggle to disable this service so SSH keys can not be requested.
NOTE: Disabling the password request service will place any open requests on hold until this service is reenabled. |
Password Management |
Check password management |
Check password management is enabled by default, indicating that Safeguard for Privileged Passwords automatically performs the password check task if the profile is scheduled, and allows you to manually check an account's password.
Click the Check password management toggle to disable the password validation service.
NOTE: Safeguard for Privileged Passwords enables automatic password management services by default. Typically, you would only disable them during an organization-wide maintenance window.
When disabling a password management service, Safeguard for Privileged Passwords allows all currently running tasks to complete; however, no new tasks will be allowed to start. |
Change password management |
Change password management is enabled by default, indicating that Safeguard for Privileged Passwords automatically performs the password change task if the profile is scheduled, and allows you to manually reset an account's password.
Click the Change password management toggle to disable the password reset service.
NOTE: Safeguard for Privileged Passwords enables automatic password management services by default. Typically, you would only disable them during an organization-wide maintenance window.
When disabling a password management service, Safeguard for Privileged Passwords allows all currently running tasks to complete; however, no new tasks will be allowed to start. |
SSH Key Management |
Check SSH Key |
SSH key check is enabled by default, indicating that SSH key check is managed per the profile governing the partition's assigned assets and the assets' accounts.
Click the Check SSH Key toggle to disable the check service. |
Change SSH Key |
SSH key change is enabled by default, indicating that SSH key change is managed per the profile governing the partition's assigned assets and the assets' accounts.
Click the Change SSH Key toggle to disable the change service. |
Discovery |
Asset discovery |
Asset discovery is enabled by default, indicating that available Asset Discovery jobs find assets by searching directory assets, such as Active Directory, or by scanning network IP ranges. For more information, see Discovery. |
Account discovery |
Account discovery is enabled by default, indicating that available Account Discovery jobs find accounts by searching directory assets such as Active Directory or by scanning local account databases on Windows and Unix assets (/etc/passwd) that are associated with the account discovery job. For more information, see Discovery. |
Service discovery |
Service discovery is enabled by default, indicating that available Service Discovery jobs find Windows services that run as accounts managed by Safeguard. For more information, see Discovery. |
SSH Key discovery |
SSH key discovery is enabled by default. With the toggle on, SSH keys in managed accounts are discovered. For more information, see SSH Key Discovery. |
Directory |
Directory sync |
Directory sync is enabled by default, indicating that additions or deletions to directory assets are synchronized. You can set the number of minutes for synchronization. For more information, see Management tab (add asset). |
Audit |
|
Audit Log Stream Service |
Use this to send Safeguard for Privileged Passwords data to Safeguard for Privileged Sessions (SPS) to audit the Safeguard privileged management software suite. The feature is disabled by default.
To accept SPP data, the SPS Appliance Administrator must turn on audit log syncing. For information, see the Safeguard for Privileged Sessions Administration Guide.
SPP and SPS must be linked to use this feature. For more information, see SPP and SPS sessions appliance link guidance.
While the synchronization of SPP and SPS is ongoing, SPS is not guaranteed to have all of the audit data at any given point due to some latency.
NOTE: This setting is also available under Security Policy Management > Settings. For more information, see Security Policy Settings. |
Application to Application |
|
Application to Application Enabled (This appliance only) |
Use this toggle to enable or disable the application to application connection behind a web application firewall via the TLS termination reverse proxy.
The following configuration information is displayed and can be updated using the button:
|
The Appliance Administrator can:
- Configure the appliance to send event notifications to various external systems.
- Integrate with an external ticketing system or track generic ticket numbers.
- Configure both external and secondary authentication service providers.
Go to External Integration:
- web client: Navigate to Appliance Management > External Integration.
Table 46: External Integration settings
Email |
Where you configure Safeguard for Privileged Passwords to automatically send email notifications when certain events occur. |
Email Templates |
Where you configure Safeguard for Privileged Passwords email templates. |
Hardware Security Module |
Where you configure the Hardware Security Module integration, which allows Safeguard for Privileged Passwords to utilize an external Hardware Security Module device for encryption. |
SNMP |
Where you configure Safeguard for Privileged Passwords to send SNMP traps to your SNMP console when certain events occur. |
Starling |
Where you join Safeguard for Privileged Passwords to Starling to take advantage of Starling services. |
Syslog |
Where you configure Safeguard for Privileged Passwords to send event notifications to a syslog server with details about the event. |
Syslog Events |
Where, using an existing syslog server, you create a subscriber and assign events. |
Ticket systems |
Where you configure Safeguard for Privileged Passwords to integrate with your company's external ticket system or track generic tickets and not integrate with an external ticketing system. |
Trusted Servers, CORS, and Redirects |
Where you can restrict login redirects and Cross Origin Resource Sharing (CORS) requests to a specified list of IP addresses, host names (including DNS wildcards), and CIDR notation networks. |
It is the responsibility of the Appliance Administrator to configure Safeguard for Privileged Passwords to automatically send email notifications when certain events occur.
Use the Email pane to configure the SMTP server to be used for email notifications and to edit the email templates that define the content of email notifications.
Before you start
Before configuring the SMTP server, perform the following, as needed.
To configure the SMTP Server
- Go to SMTP Server:
- web client: Navigate to External Integration > Email.
- To configure the email notifications, enter these global settings for all emails:
- SMTP Server Address: Enter the IP address or DNS name of the mail server. When unspecified, the email client is disabled.
When entering an IPv6 address, you must encapsulate it in square brackets, such as [b86f:b86f:b86f:1:b86f:b86f:b86f:b86f].
If you are using a mail exchanger record (MX record), you must specify the domain name for the mail server.
- SMTP Port: A default port is set for SMTP which should be changed, if needed. By default, the SMTP port is 465 or, if you are using SSL/TLS, the default is port 25. The range is 1 to 65535.
-
Select one of the following to add Transport Layer Security.
- Require STARTTLS: Select this option to connect to an SMTP server that supports the STARTTLS command to elevate the connection from text-based to TLS.
- Require SMTPS: Select this option to immediately use TLS in its connection to the target SMTP server.
- None: There is no transport layer security applied to emails.
If you selected Require STARTTLS or Require SMTPS, you can select one, both, or none of the following:
- Verify SSL Certificate: Verify SSL Certificate: If not selected, the remote SMTP server's SSL certificate is not verified.
- Use Client Certificate: Select this check box to present a Client Certificate during a TLS connection to the remote SMTP server.
- User Authentication: Select an option if you want to authenticate access to the SMPT server.
- Account: If selected, click Directory Account or Asset Account then select the account to use for authentication.
- Password: If selected, enter the Account Name and Account Password to use for authentication.
- None: If selected, the user will not be authenticated.
- Send Test Email To: Enter an email address to use as the "From" address for all emails originating from the appliance. This is required if you specify the SMTP Server Address. The limit is 512 characters.
To validate your setup
Test the email setup. When you test, no emails except for the tests are handled.
- In Send Test Email To, enter the email address of where to send the test message.
- Enter the Timeout for the test email from delivery start to the email successfully being sent or the return of an error notification. Each IP address is tested and if one fails, the an error is returned for the entire process. The maximum is 255 seconds per IP check. The error logs are maintained for two days. During testing, a valid From address with an invalid To address is not delivered.
- Click Send Test Email. The email is sent using the configuration settings. If there is an error or timeout, a message displays in the user interface.
- You must check to ensure the email is delivered. If there was no message in the user interface but the email is not delivered, check the support bundle log files in the SMTPSVC1 folder. Two days of logs are maintained. For more information, see Support bundle.