立即与支持人员聊天
与支持团队交流

One Identity Safeguard for Privileged Passwords 7.5 - Administration Guide

Introduction System requirements and versions Using API and PowerShell tools Using the virtual appliance and web management console Cloud deployment considerations Setting up Safeguard for Privileged Passwords for the first time Using the web client Home page Privileged access requests Appliance Management
Appliance Backup and Retention Certificates Cluster Global Services External Integration Real-Time Reports Safeguard Access Appliance Management Settings
Asset Management
Account Automation Accounts Assets Partitions Discovery Profiles Tags Registered Connectors Custom platforms Importing objects
Security Policy Management
Access Request Activity Account Groups Application to Application Cloud Assistant Asset Groups Entitlements Linked Accounts User Groups Security Policy Settings
User Management Reports Disaster recovery and clusters Administrator permissions Preparing systems for management Troubleshooting Frequently asked questions Appendix A: Safeguard ports Appendix B: SPP and SPS join guidance Appendix C: Regular Expressions

Restarting the appliance

You can restart an appliance from the web client or directly from the appliance itself.

To restart an appliance

You can restart your appliance from the web client via Appliance > Power. For more information, see Power..

Appliance: Restart from the appliance

After the appliance powers off, you will need physical access to start it. Press the Green check mark button on the front panel of the appliance for NO MORE than one second to power on the appliance.

CAUTION: Once the Safeguard appliance is booted, DO NOT press and hold the Green check mark button. Holding this button for four or more seconds will cold reset the power of the appliance and may result in damage.

Setting the appliance name and Host DNS Suffix

SPP automatically assigns a name to the appliance; however, you can change the name from the Appliance Information page. In the web client, you can also edit the Host DNS Suffix that was set during the initial setup of SPP.

To edit the appliance name and host DNS suffix

  1. Go to the page:
    • web client: Navigate to Appliance > Appliance Information.
  2. To the right of the Appliance Name and Host DNS Suffix, click Edit to enable both fields for editing.
  3. Make any changes required to the Appliance Name or Host DNS Suffix.
  4. Click Save.

Debug

For each SPP internal service, you can specify the level of logging and the external syslog server for storing debug logs. This allows for debugging in real time.

Debug logging is appliance specific. The data sent to the syslog server can include but is not limited to Support Bundle debug data. Cluster wide TLS audit event can be logged to a syslog server (see Syslog Events).

Debug logging is off by default but you can turn it on or off. Because debug logs can be sizable, you may want to turn it on for debugging a specific scenario or testing and turn it off for daily operations.

Using the API to control TLS log connection messages

Using the API, you can control if TLS log connection messages are generated to the debug logs when the TLS connection to an external server is closed. If the log level is set (see below), the event is also sent to the syslog server.

To log TLS connection information, set the NetworkDebugEnabled property from the https://<network address>/service/appliance/v4/Service/Debug endpoint to true. For more information, see Using the API..

To configure debug logs to send to a syslog server

  1. You will need a configured syslog server. If you have not configured a syslog server, you will see a message like this: To configure additional debut logging options, you need to configure a syslog server. Click Configure a syslog server. For more information, see Configuring and verifying a syslog server..
  2. If you have a syslog server configured, navigate to Appliance > Debug.
  3. Select a Syslog Server to which you want to send debug logs. The default is Do not log to syslog.
  4. In Facility, select which syslog facility to which you want to use: Kernel, User, Mail, Daemons, Authorization, or Syslog.
  5. Set the log level.

    • To set all log levels, click Set All then choose to Set All at one of the levels. This is useful to set the most common level of logging you want for most services.
    • To set an individual Service Name's log level, select next to the service to change the log level for that service.

    When you select from either the set all levels or the individual service name level, the log includes the log level selected as well as those listed below the level you selected. The information is immediately sent to the server. For example:

    • Debug (includes Debug, Information, Warning, and Error)
    • Information (includes Information, Warning, and Error)
    • Warning (includes Warning and Error)
    • Error (includes only Error)
    • None (Disabled): No logs are sent
  6. The grid displays each Service Name (enum name) that supports debug logging and the current Log Level.
    • Click Refresh at any time to display the latest information.
    • Click Search to locate a specific service.

Licensing settings

CAUTION: All customers upgrading to SPP 7.0 require a new license. For more information, contact Support.

It is the responsibility of the Appliance Administrator to manage the Safeguard for Privileged Passwords licenses.

Hardware appliance

The One Identity Safeguard for Privileged Passwords 4000 Appliance, 3000 Appliance and 2000 Appliance ship with the Privileged Passwords module which requires a valid license to enable functionality.

You must install a valid license. Once the module is installed, SPP shows a license state of Licensed and is operational. If the module license is not installed, you have limited functionality. That is, even though you will be able to configure access requests, if a Privileged Passwords module license is not installed, you will not be able to request a password release.

Virtual appliance Microsoft Windows licensing

You must license the virtual appliance with a Microsoft Windows license. We recommend using either the MAK or KMS method. Specific questions about licensing should be directed to your Sales Representative. The virtual appliance will not function unless the operating system is properly licensed.

Licensing setup and update

To enter licensing information when you first log in

The first time you log in as the Appliance Administrator, you are prompted to add a license. The Success dialog displays when the license is added.

On the virtual appliance, the license is added as part of Initial Setup. For more information, see Setting up the virtual appliance..

IMPORTANT: After successfully adding a license, the Software Transaction Agreement will be displayed and must be read and accepted in order to use SPP.

To configure reminders for license expiration

To avoid disruptions in the use of SPP, the Appliance Administrator must configure the SMTP server, and define email templates for the License Expired and the License Expiring Soon event types. This ensures you will be notified of an approaching expiration date. For more information, see Enabling email notifications..

Users are instructed to contact their Appliance Administrator if they get an "appliance is unlicensed" notification.

As an Appliance Administrator, if you receive a "license expiring" notification, apply a new license.

To update the licensing file

Safeguard licenses can be updated both on hardware and virtual machines, whereas OS licenses can be updated only on virtual machines.

To perform licensing activities

Navigate to Appliance Management > Appliance > Licensing.

  • To upload a new license file, click Upload new license file and browse to select the current license file. The Software Transaction Agreement will also be displayed during this process and must be read and accepted in order to complete the licensing process.

  • To remove the license file, select the license and click Remove selected license.

  • To get more information on the license and to export license data, click the What do these numbers mean? button, or click on the numbers in the tile.

    If you want to export data about users, desktops or systems in CSV or JSON format, navigate to the table from which you want to export data by clicking the corresponding tab, for example Users Used.

    Click the export icon located on the table. For more information on exporting, see Exporting data.

    Below is the list of the available tabs.

    For device-based licenses:

    • General

    • Desktops Used

    • Other Desktops

    • Systems Used

    • Other Systems

    • History

    For user-based licenses:

    • General

    • Users Used

    • Password Vault Only

    • Other Users

    • History

  • The General tab, contains general information about the license:

    • License usage and consumption

    • Counts of all managed and unmanaged components

    • How licenses are counted

    • License Number

    • License Type

    • Expiration Date

    • Product Version

    • Date Added

    • Added By

相关文档

The document was helpful.

选择评级

I easily found the information I needed.

选择评级