The Privileged Appliance and Modules (TPAM) 1.0. Diagnostics and Troubleshooting Guide

Similar documents
One Identity Starling Two-Factor Desktop Login 1.0. Administration Guide

Cloud Access Manager How to Deploy Cloud Access Manager in a Virtual Private Cloud

One Identity Starling Two-Factor HTTP Module 2.1. Administration Guide

One Identity Starling Two-Factor AD FS Adapter 6.0. Administrator Guide

One Identity Starling Two-Factor Authentication. Administration Guide

One Identity Starling Two-Factor Authentication. Administrator Guide

One Identity Quick Connect Express

One Identity Active Roles 7.2

One Identity Active Roles Diagnostic Tools 1.2.0

EAM Portal User's Guide

Cloud Access Manager SonicWALL Integration Overview

Cloud Access Manager How to Configure for SSO to SAP NetWeaver using SAML 2.0

One Identity Defender 5.9. Product Overview

One Identity Active Roles 7.2. Management Pack Technical Description

TPAM Security Product Client for Windows Security Product Client for Windows Guide

The Privileged Appliance and Modules (TPAM) Approver Guide

One Identity Password Manager User Guide

One Identity Management Console for Unix 2.5.1

Spotlight on SQL Server Enterprise Spotlight Management Pack for SCOM

Authentication Services ActiveRoles Integration Pack 2.1.x. Administration Guide

Quest Unified Communications Diagnostics Data Recorder User Guide

Spotlight Management Pack for SCOM. User Guide

Setting up the DR Series System on Acronis Backup & Recovery v11.5. Technical White Paper

Quest Migration Manager Upgrade Guide

Authentication Manager Self Service Password Request Administrator s Guide

Dell Secure Mobile Access Connect Tunnel Service User Guide

One Identity Safeguard for Privileged Sessions 5.9. Remote Desktop Protocol Scenarios

Quest Migrator for Notes to Exchange SSDM User Guide

One Identity Active Roles 7.2. Replication: Best Practices and Troubleshooting Guide

KACE GO Mobile App 5.0. Getting Started Guide

Setting up Quest QoreStor as an RDA Backup Target for NetVault Backup. Technical White Paper

KACE GO Mobile App 3.1. Release Notes

One Identity Manager Data Archiving Administration Guide

One Identity Active Roles 7.2. Configuration Transfer Wizard Administrator Guide

Quest InTrust InTrust Events

One Identity Starling Two-Factor Authentication

Dell Statistica. Statistica Enterprise Server Installation Instructions

Quest Migration Manager for Exchange Resource Kit User Guide

Cloud Access Manager Overview

Rapid Recovery License Portal Version User Guide

KACE GO Mobile App 4.0. Release Notes

About One Identity Quick Connect for Base Systems 2.4.0

One Identity Starling Identity Analytics & Risk Intelligence. User Guide

Metalogix Intelligent Migration. Installation Guide

Quest Recovery Manager for Active Directory 9.0. Quick Start Guide

Quest Code Tester for Oracle 3.1. Installation and Configuration Guide

KACE GO Mobile App 5.0. Release Notes

Setting up the DR Series System with vranger. Technical White Paper

Cloud Access Manager How to Configure Microsoft Office 365

SQL Optimizer for Oracle Installation Guide

Rapid Recovery DocRetriever for SharePoint User Guide

One Identity Manager 8.0. Administration Guide for Connecting to Azure Active Directory

One Identity Manager 8.0. Data Archiving Administration Guide

Metalogix Archive Manager for Files 8.0. IIS Installation

One Identity Authentication Services Defender Integration Guide

Dell SonicWALL SonicOS 5.9 Upgrade Guide

About Toad for Oracle 2017 Editions 2. Product release notes 4. Installation 5

One Identity Manager 8.0. IT Shop Administration Guide

Quest Recovery Manager for Active Directory Forest Edition 9.0. Quick Start Guide

Quest Migration Manager for Exchange Granular Account Permissions for Exchange 2010 to 2013 Migration

Quest VROOM Quick Setup Guide for Quest Rapid Recovery for Windows and Quest Foglight vapp Installers

One Identity Manager 8.0. Administration Guide for Connecting Unix-Based Target Systems

Quest VROOM Quick Setup Guide for Quest Rapid Recovery for Windows and Quest Foglight vapp Installers

Quest Migration Manager for Exchange Granular Account Permissions for Exchange 2010 to 2010 Migration

Cloud Access Manager How to Configure Microsoft SharePoint

Setting Up Quest QoreStor as a Commvault Backup Target. Technical White Paper

One Identity Manager 8.0. Administration Guide for Connecting to a Universal Cloud Interface

One Identity Manager Administration Guide for Connecting to SharePoint

Cloud Access Manager Installation Guide

SonicWall Secure Mobile Access

Setting Up Quest QoreStor with Veeam Backup & Replication. Technical White Paper

SonicWall Mobile Connect for Chrome OS

Quest InTrust Objects Created and Used by InTrust

One Identity Active Roles 7.2. Web Interface User Guide

Dell SonicWALL Security 8.1.1

Toad DevOps Toolkit 1.0

One Identity Manager Administration Guide for Connecting to SharePoint Online

One Identity Password Manager 5.7.1

One Identity Quick Connect for Base Systems 2.4. Administrator Guide

SQL Optimizer for IBM DB2 LUW 4.3.1

One Identity Active Roles 7.2. Azure AD and Office 365 Management Administrator Guide

LiteSpeed for SQL Server 6.1. Configure Log Shipping

Quest VROOM Quick Setup Guide for Quest Rapid Recovery and Foglight Windows Installers

One Identity Active Roles 7.2. Web Interface Administrator Guide

Dell One Identity Cloud Access Manager 8.0. Overview

Quest VROOM Quick Setup Guide for Quest Rapid Recovery and Foglight Windows Installers

SonicWall Secure Mobile Access

Dell Change Auditor 6.5. Event Reference Guide

Quest NetVault Backup Plug-in for SnapMirror To Tape. User s Guide. version 7.6. Version: Product Number: NTG EN-01 NTG

One Identity Manager 8.0. Native Database Connector User Guide for Connecting DB2 (LUW) Databases

Metalogix Essentials for Office Creating a Backup

MySonicWall Secure Upgrade Plus

Toad Intelligence Central 3.3 New in This Release

Toad Edge 2.0 Preview

Metalogix ControlPoint 7.6. for Office 365 Installation Guide

About One Identity Quick Connect for Cloud Services Release Notes

Dell GPOADmin 5.7. About Dell GPOADmin 5.7. New features. Release Notes. December 2013

One Identity Manager Administration Guide for Connecting Oracle E-Business Suite

Quest Collaboration Services 3.6. Installation Guide

SonicWall Secure Mobile Access SMA 500v Virtual Appliance 8.6. Getting Started Guide

Transcription:

The Privileged Appliance and Modules (TPAM) 1.0 Guide

Copyright 2017 One Identity LLC. ALL RIGHTS RESERVED. This guide contains proprietary information protected by copyright. The software described in this guide is furnished under a software license or nondisclosure agreement. This software may be used or copied only in accordance with the terms of the applicable agreement. No part of this guide may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying and recording for any purpose other than the purchaser s personal use without the written permission of One Identity LLC. The information in this document is provided in connection with One Identity products. No license, express or implied, by estoppel or otherwise, to any intellectual property right is granted by this document or in connection with the sale of One Identity LLC products. EXCEPT AS SET FORTH IN THE TERMS AND CONDITIONS AS SPECIFIED IN THE LICENSE AGREEMENT FOR THIS PRODUCT, ONE IDENTITY ASSUMES NO LIABILITY WHATSOEVER AND DISCLAIMS ANY EXPRESS, IMPLIED OR STATUTORY WARRANTY RELATING TO ITS PRODUCTS INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON- INFRINGEMENT. IN NO EVENT SHALL ONE IDENTITY BE LIABLE FOR ANY DIRECT, INDIRECT, CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION OR LOSS OF INFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THIS DOCUMENT, EVEN IF ONE IDENTITY HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. One Identity make no representations or warranties with respect to the accuracy or completeness of the contents of this document and reserves the right to make changes to specifications and product descriptions at any time without notice. One Identity do not make any commitment to update the information contained in this document. If you have any questions regarding your potential use of this material, contact: One Identity LLC. Attn: LEGAL Dept 4 Polaris Way Aliso Viejo, CA 92656 Refer to our Web site (http://www.oneidentity.com) for regional and international office information. Patents One Identity is proud of our advanced technology. Patents and pending patents may apply to this product. For the most current information about applicable patents for this product, please visit our website at http://www.oneidentity.com/legal/patents.aspx. Trademarks One Identity and the One Identity logo are trademarks and registered trademarks of One Identity LLC. in the U.S.A. and other countries. For a complete list of One Identity trademarks, please visit our website at www.oneidentity.com/legal. All other trademarks are the property of their respective owners. Legend WARNING: A WARNING icon indicates a potential for property damage, personal injury, or death. CAUTION: A CAUTION icon indicates potential damage to hardware or loss of data if instructions are not followed. IMPORTANT, NOTE, TIP, MOBILE, or VIDEO: An information icon indicates supporting information. TPAM Guide Updated - November 2017 Version - 1.0

Contents 1 Introduction 1 TPAM functional overview 1 Methods of access 2 Deployment scenarios 2 Common issues 3 Common setup issues 3 Troubleshooting checklist 3 CLI IDs 4 Logs 4 System status 4 Network tools 5 Ping utility 5 Nslookup utility 5 TraceRoute utility 6 Telnet Test utility 6 Performance diagnostics 6 Prerequisites for contacting support 6 About us 8 Contacting us 8 Technical support resources 8 TPAM 1.0 Guide 3

1 Introduction This purpose of this guide is to: explain the TPAM product use case teach how to troubleshoot common issues teach how to gather all the necessary information that Support requires to diagnose an issue in the event that a support ticket needs to be opened TPAM functional overview Total Privileged Access Management (TPAM) is a robust collection of integrated modular technologies designed specifically to meet the complex and growing compliance and security requirements associated with privileged identity management and privileged access control. TPAM is comprised of two modules: Privileged Password Manager (PPM) Privileged Session Manager (PSM) Privileged Password Manager (PPM) automates, controls and secures the entire process of granting administrators the credentials necessary to perform their duties. Privileged Password Manager ensures that when administrators require elevated access, that access is granted according to established policy, with appropriate approvals, that all actions are fully audited and tracked and that the password is changed immediately upon its return. Privileged Session Manager (PSM) provides session control, proxy, audit, recording and replay of high-risk users, including administrators, remote vendors and others. It provides a single point of control from which you can authorize connections, limit access to specific resources, view active connections, record all activity, alert if connections exceed pre-set time limits and terminate connections. TPAM 1.0 Guide 1

The appliance runs on a hardened Windows Web Server. An internal firewall is active on the device, protecting against network threats and OS vulnerabilities. The front end provides the administrative interface, the automation routines, and the gateway to the encrypted passwords for the release mechanism. There is no direct access to the OS of the appliance. All configurations occur via the configuration or administrative interfaces. In addition to storing sensitive data (such as passwords) in encrypted form, the hard disk of the appliance is fully encrypted. This prevents exposure of data should the disk be lost or stolen. The connections to remote managed systems are accomplished utilizing the most secure standard methods available. In most cases, this will be SSH. A setup guide is provided to accomplish the necessary configuration on the remote system. In most cases, this will include the definition of a functional userid with password change capability. If a system is managed by PPM then the appliance also makes connections to these managed systems to ensure that the stored password is valid on the managed system. Any out of sync conditions are reported, and based on the configuration settings, automatically corrected. Methods of access The TPAM appliance has several methods of access: Configuration interface (HTTPS via direct connection, with network option) Administrative interface (HTTPS via network access) User interface (HTTPS via network access) System Administrator CLI (SSH via network access) User CLI (SSH via network access) User API (SSH client application via network access) Deployment scenarios High availability clustering is an option for customers to support TPAM with a minimum of down time and eliminate a single point of failure. Each appliance is configured with a cluster role. The cluster role choices are: Primary -Acts as the information source for the cluster. Only one primary allowed per cluster. Replica -redundant appliance that is kept in synch with the primary. Can be configured to automatically fail over if it loses contact with the primary. Standalone -this role only applies to DPAs enrolled in the cluster and cannot be changed. TPAM 1.0 Guide 2

Common issues For solutions to common issues please go to https://support.oneidentity.com/tpamappliance and click on the Knowledge Base link on the left side of the page. Solutions to many issues found by customers are posted here. Examples of some common issues are: PSM Session Connection issues-issues establishing remote sessions to managed systems, including unavailable ports and java issues, etc. Connection failures between PPM and managed systems-incorrect functional account password, unavailable ports, etc. Restoring HA Clusters, replication issues-failover due to communication between appliances, etc. Hardware failures, RMAs (hardware replacement) Web Interface Login / Availability issues Downloading and applying hotfixes, patches etc.-downloads are available from https://support.oneidentity.com Common setup issues When replacement appliances are received, there is a specific process for restoring the appliance from backup. Configuring network settings on new or replaced appliances The appliance(s) must be accessed using the config port to update the network settings for the appropriate subnet, etc. Troubleshooting checklist Troubleshooting TPAM issues begins with collecting all relevant information. With version 2.5 of TPAM the Support Bundle was created to allow Technical Support to collect a data file that includes vital information about the TPAM appliance. The information in this file will be used for troubleshooting issues when calling in to open a service request. The Support Bundle is an un-encrypted file but does not contain any sensitive customer data such as passwords, only information about the appliance itself. To create a support bundle: 1. Select System Status/Settings System Status from the menu. TPAM 1.0 Guide 3

2. Click the Support Bundle tab. 3. Based on your conversation with technical support, select/clear the check boxes in the Optional Items section. Enter a Start Date and End Date to narrow the results. 4. Click the Create Support Bundle button. Once the bundle is complete it is displayed in the Bundle list. 5. Select the bundle name from the list that you want to download. 6. Click the Download Bundle button. 7. Click the OK button to save the file offline. Now the zip file can be emailed to Technical Support. CLI IDs It is recommended that customers create a Sys-Admin CLI user ID and that they download and store the key outside of the appliance. A CLI Sys-Admin user ID is a special user account used to access TPAM remotely via the CLI (command line interface). When accessing TPAM through the CLI they can only execute specific commands supported by the TPAM CLI. A Sys-Admin CLI user ID can access the TPAM appliance when the web interface becomes unavailable and thus perform various troubleshooting steps. Steps to add a Sys-Admin CLI user ID are included in the System Administrator Guide. Logs Logs are located in the tpam /admin interface. Logs included here are the Sys-Admin Activity Log, Security Log, Firewall Log, Database Log and Alerts Log. However, there are other logs that can be gathered such as the Primary and Replica logs for HA issues, Mail Agent log, Backup log, Patch log and so on. Particular logs will be requested from the technical support team, dependent on the issue being investigated. System status The System Status page is a requirement at all times in order to confirm the version and appliance serial number. To navigate to the System Status page int the /admin interface select System Status/Settings System Status from the menu. On the System Status page scroll down in the embedded text box so the "Appliance Info" is visible in the screen shot. A screen shot of the System Status is a requirement for the escalation team when opening a Collaboration Request. TPAM 1.0 Guide 4

Network tools To assist the TPAM System Administrator with troubleshooting common network related problems, TPAM contains network tools that are accessible from the /config and /admin interface. In addition, some specialized configurations can be made to add or manage static routes. From the /tpam interface navigate to Management Network Tools. From the /config interface the Network Tools is located in the main menu. Ping utility The ping utility can be used to verify connectivity to remote hosts and determine latency. Many of the optional parameters for the ping command are available. The available command options are listed along with the short description of each. To use the ping utility: 1. Select Net Tools Ping from the menu. 2. Enter the IP or Hostname. 3. Select the options desired. 4. Click the Ping button. The results will be displayed. Nslookup utility Nslookup is a common TCP/IP tool used to test DNS settings and perform similar information gathering using DNS resolution. The TPAM utility for nslookup will use the DNS server(s) configured to TPAM only. The option to specify a server is not provided. TPAM System Administrators can benefit from the ability to use nslookup to resolve hostnames to IP addresses and vice versa. To use Nslookup: 1. Select Net Tools Nslookup from the menu. 2. Enter the IP address or Hostname to look up. 3. Click the Lookup button. TPAM 1.0 Guide 5

TraceRoute utility The tracerouteutility is available for examining network routing and connectivity from TPAM to a remote IP address or hostname. The use of traceroute is often disallowed by firewalls, routers, and other network security infrastructure, but if allowed, it can be a valuable diagnostic tool. To use traceroute: 1. Select Net Tools TraceRoute from the menu. 2. Enter the IP or Hostname to trace. 3. Select the -d check box. (Optional) 4. Change the default number of hops and timeout wait. (Optional) 5. Click the Trace button. Telnet Test utility The Telnet test utility lets a test be performed from the appliance to another system over a specific port. The tool will test the defined port using telnet functionality to verify the port, whether a connection can be made, and then immediately close the connection. To use the Telnet Test utility: 1. Select Net Tools Telnet Test from the menu. 2. Enter the network address, port and timeout period. 3. Click the Trace button. Performance diagnostics The system status graphs provide a visual presentation of key statistics for system administrators and technical support. To view the graphs select System Status/Settings System Status from the menu. Click the Graphs tab. See the System Administrator Guide for more details. Prerequisites for contacting support Technical support is available to customers who have a trial version of a TPAM product or who have purchased a TPAM product and have a valid maintenance contract. TPAM 1.0 Guide 6

Submitting the Support Bundle, with a clear description of the issue being reported, is recommended. Additional logs/information may be required, and a member of the Support team can determine this based on the issue. TPAM 1.0 Guide 7

About us About us Contacting us For sales or other inquiries, visit https://www.oneidentity.com/company/contact-us.aspx or call +1-800-306-9329. Technical support resources Technical support is available to One Identity customers with a valid maintenance contract and customers who have trial versions. You can access the Support Portal at https://support.oneidentity.com/. The Support Portal provides self-help tools you can use to solve problems quickly and independently, 24 hours a day, 365 days a year. The Support Portal enables you to: Submit and manage a Service Request View Knowledge Base articles Sign up for product notifications Download software and technical documentation View how-to-videos Engage in community discussions Chat with support engineers online View services to assist you with your product TPAM 1.0 Guide About us 8

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback