立即与支持人员聊天
与支持团队交流

One Identity Safeguard for Privileged Passwords 7.4.1 - Administration Guide

Introduction System requirements and versions Using API and PowerShell tools Using the virtual appliance and web management console Cloud deployment considerations Setting up Safeguard for Privileged Passwords for the first time Using the web client Home page Privileged access requests Appliance Management
Appliance Backup and Retention Certificates Cluster Global Services External Integration Real-Time Reports Safeguard Access Appliance Management Settings
Asset Management
Account Automation Accounts Assets Partitions Discovery Profiles Tags Registered Connectors Custom platforms Importing objects
Security Policy Management
Access Request Activity Account Groups Application to Application Cloud Assistant Asset Groups Entitlements Linked Accounts User Groups Security Policy Settings
User Management Reports Disaster recovery and clusters Administrator permissions Preparing systems for management Troubleshooting Frequently asked questions Appendix A: Safeguard ports Appendix B: SPP and SPS join guidance Appendix C: Regular Expressions

Licensing settings

CAUTION: All customers upgrading to SPP 7.0 require a new license. For more information, contact Support.

It is the responsibility of the Appliance Administrator to manage the Safeguard for Privileged Passwords licenses.

Hardware appliance

The One Identity Safeguard for Privileged Passwords 4000 Appliance, 3000 Appliance and 2000 Appliance ship with the Privileged Passwords module which requires a valid license to enable functionality.

You must install a valid license. Once the module is installed, SPP shows a license state of Licensed and is operational. If the module license is not installed, you have limited functionality. That is, even though you will be able to configure access requests, if a Privileged Passwords module license is not installed, you will not be able to request a password release.

Virtual appliance Microsoft Windows licensing

You must license the virtual appliance with a Microsoft Windows license. We recommend using either the MAK or KMS method. Specific questions about licensing should be directed to your Sales Representative. The virtual appliance will not function unless the operating system is properly licensed.

Licensing setup and update

To enter licensing information when you first log in

The first time you log in as the Appliance Administrator, you are prompted to add a license. The Success dialog displays when the license is added.

On the virtual appliance, the license is added as part of Initial Setup. For more information, see Setting up the virtual appliance..

IMPORTANT: After successfully adding a license, the Software Transaction Agreement will be displayed and must be read and accepted in order to use SPP.

To configure reminders for license expiration

To avoid disruptions in the use of SPP, the Appliance Administrator must configure the SMTP server, and define email templates for the License Expired and the License Expiring Soon event types. This ensures you will be notified of an approaching expiration date. For more information, see Enabling email notifications..

Users are instructed to contact their Appliance Administrator if they get an "appliance is unlicensed" notification.

As an Appliance Administrator, if you receive a "license expiring" notification, apply a new license.

To update the licensing file

Safeguard licenses can be updated both on hardware and virtual machines, whereas OS licenses can be updated only on virtual machines.

To perform licensing activities

Navigate to Appliance Management > Appliance > Licensing.

  • To upload a new license file, click Upload new license file and browse to select the current license file. The Software Transaction Agreement will also be displayed during this process and must be read and accepted in order to complete the licensing process.

  • To remove the license file, select the license and click Remove selected license.

  • To get more information on the license and to export license data, click the What do these numbers mean? button, or click on the numbers in the tile.

    If you want to export data about users, desktops or systems in CSV or JSON format, navigate to the table from which you want to export data by clicking the corresponding tab, for example Users Used.

    Click the export icon located on the table. For more information on exporting, see Exporting data.

    Below is the list of the available tabs.

    For device-based licenses:

    • General

    • Desktops Used

    • Other Desktops

    • Systems Used

    • Other Systems

    • History

    For user-based licenses:

    • General

    • Users Used

    • Password Vault Only

    • Other Users

    • History

  • The General tab, contains general information about the license:

    • License usage and consumption

    • Counts of all managed and unmanaged components

    • How licenses are counted

    • License Number

    • License Type

    • Expiration Date

    • Product Version

    • Date Added

    • Added By

Factory Reset

As an Appliance Administrator, you can use the Factory Reset feature to reset a SPP Appliance to recover from major problems or to clear the data and configuration settings on the appliance.

Factory reset is not an option for virtual appliances. You will need to redeploy the appliance.

Caution: Care should be taken when performing a factory reset against a physical appliance, because this operation removes all data and audit history, returning it to its original state when it first came from the factory. Performing a factory reset will NOT reset the BMC/IPMI interface or the IP address. However, the BMC/IPMI interface will need to be reenabled after the reset has completed (for more information, see Lights Out Management (BMC)). The appliance must go through configuration again as if it had just come from the factory. For more information, see Setting up Safeguard for Privileged Passwords for the first time..

In addition, performing a factory reset may change the default SSL certificate and default SSH host key.

The appliance resets to the current Long Term Support (LTS) version. For example, if the appliance is running version 6.6 (feature release) or 6.0.6 LTS (maintenance Long Term Support release) and then factory reset, the appliance will reset down to 6.0 LTS and you will have to patch up to your desired version. For more information, see Long Term Support (LTS) and Feature Releases..

Factory reset on a clustered appliance

Performing a factory reset on a clustered hardware appliance will not automatically remove the appliance from a cluster. The recommended best practice is to unjoin an appliance from the cluster before performing a factory reset on the appliance. After the unjoin and factory reset, the appliance must be configured again. For more information, see Setting up Safeguard for Privileged Passwords for the first time..

To perform a factory reset from the web client

  1. Go to Factory Reset on hardware (not virtual machine):
    • Navigate to Appliance Management > Appliance > Factory Reset.
  2. Click Factory Reset.

  3. In the Factory Reset confirmation dialog, enter the words Factory Reset and click Factory Reset.

    The appliance will go into Maintenance mode to revert the appliance. If the appliance was in a cluster, you may need to unjoin the factory reset appliance. The factory reset appliance must be configured again. For more information, see Setting up Safeguard for Privileged Passwords for the first time.. In addition, when you log in to the appliance, you will be prompted to add your SPP licenses.

You can also perform a factory reset from the Recovery Kiosk or Support Kiosk. For more information, see Performing a factory reset..

Lights Out Management (BMC)

The Lights Out Management feature allows you to remotely manage the power state and serial console to Safeguard for Privileged Passwords using the baseboard management controller (BMC). When a LAN interface is configured, this allows the Appliance Administrator to power on an appliance remotely or to interact with the Recovery Kiosk.

The Appliance Administrator can enable and configure the Lights Out Management feature. When Lights Out Management is enabled, the Appliance Administrator can set or change the password and modify the network information for the baseboard management console (BMC). When disabled, SPP immediately resets the password to a random value and resets the network settings to default values.

Lights Out Management is only available using hardware (not a virtual machine):

LAN interface required

This feature requires a LAN interface to be enabled and configured. One Identity Safeguard for Privileged Passwords's BMC supports the following LAN interfaces to provide this functionality:

  • SSH
  • IPMI v2
  • Web
  • Serial over Lan

It is strongly recommended that the LAN interface only be enabled in trusted environments.

To enable Lights Out Management

A static IP address will need to be assigned and a network cable will need to be connected to the IPMI ethernet port on the back of the appliance. This is in addition to the standard X0 network interface.

  2. Navigate to Lights Out Management (BMC).
  3. Click the Enable Lights Out Management toggle to enable or disable this feature. Set toggle on or toggle off.
  4. Once enabled, enter the following information about the BMC:
    1. IP address: The IPv4 address of the host machine.
    2. Netmask: The network mask IPv4 address.
    3. Default Gateway: The default gateway IPv4 address.

  5. Use Set BMC Admin Password to set the password for the host machine.

    Maximum password length: 20 characters.

    NOTE: If this feature was previously enabled, you will see an Update BMC Admin Password button instead. Optionally, click the Update BMC Admin Password button to reset the password for the host machine.

  6. Click OK to save the settings on the host machine.

Accessing the BMC

Once Lights Out Management is enabled in SPP, you can access the BMC via:

  • SSH to connect to the IPMI port to remotely manage the power state and serial console to SPP
  • Web browser

SSH connection

The SPP Kiosk Console can be accessed via Putty, Linux command line, or your preferred SSH Client.

  1. Connect to the IP assigned to the IPMI interface and login with the Admin user. (Default credentials are ADMIN/admin)
  2. At the prompt run: start /system1/sol1. There may be a delay. Please wait for the connection. A message like the following gives you the instructions to proceed:
    ->start /system1/sol1
    press <Enter>, <Esc>, and then <T> to terminate session
    (press the keys in sequence, one after the other)

  3. On the menu shown below, navigate using the arrow keys. Press the right arrow to select a menu option, press the left arrow to return to the menu list, press up or down to select a different menu option.

    Appliance Information >

    Power Options >

    Backups >

    Admin Password Reset >

    Factory Reset >

    Support Bundle >

  4. If the screen freezes, or displays distorted information, you can press CTRL+R or CTRL+D to refresh the screen.

  5. To exit the Kiosk press Enter, then press ESC, then press SHIFT+T. At the prompt, type in exit.

If the appliance is in Quarantine, please generate a Quarantine Bundle from the Kiosk menu and copy the file to a network share. After the bundle is retrieved, perform a Reboot via the Kiosk, to see if the appliance will recover on its own. If it remains in Quarantine, a Factory Reset will likely be necessary. For more information, see Performing a factory reset..

Web browser interface

If you experience difficulty logging in through SSH, web access is also available.

  1. In your browser, go to the IP address of your IPMI interface. (that is, https://10.10.10.10), and login with your BMC admin account. The default is ADMIN/admin.
  2. You can attempt to fix the SSH connection, by navigating to Maintenance > Unit Reset > Select Reset. After 60 seconds re-attempt the SSH connection.
  3. Login to the Kiosk via the web by navigating to Remote Control > Select Launch SOL. (Java is required for this method, the Kiosk will launch in a JNLP window.)
  4. Use the cursor keys and return to navigate. Page Up is used for backspace. It is not possible to copy and paste when using the Java viewer.

Rebooting

A reboot from the BMC web browser interface is only a hardware level reboot.

If you need to reboot using the web browser interface:

  1. Log into the BMC web browser interface.
  2. Open the Serial over Lan emulator, which opens the Kiosk interface.
  3. Select reboot from the menu.

See KB 263835: How to remotely access the Kiosk via the Lights Out Management / BMC / IPMI interface.

Network Diagnostics

SPP makes these diagnostic tests available for the Appliance Administrator and Operations Administrator.

NOTE: When you run these diagnostic tests, they are run on the appliance.

  1. Go to Network Diagnostics:
    • web client: Navigate to Appliance > Network Diagnostics.
  2. Choose the type of test to perform and complete the steps.
    • ARP: Use Address Resolution Protocol (ARP) to discover the Interface, Internet Address, Physical Address, and Type (dynamic or static).
    • Netstat: Use netstat to display the active connection protocol, local address, foreign address, and state.
    • NS Lookup: To obtain your domain name or IP address.
    • Ping: To verify your network connectivity and response time.
    • Show Routes: To retrieve routing table information.
    • Telnet: To access remote computers over TCP/IP networks like the internet.
    • Throughput: Test throughput to other appliances in the cluster.
    • Trace Route: To obtain your router information; trace route determines the paths packets take from one IP address to another.
相关文档

The document was helpful.

选择评级

I easily found the information I needed.

选择评级