A.4 Scenario 4: Tunneling

Identity Manager enables you to synchronize passwords among connected systems while keeping the Identity Vault password separate. This is referred to as “tunneling.”

In this scenario, Identity Manager directly updates the Distribution password. This scenario is almost the same as Section A.3, Scenario 3: Synchronizing an Identity Vault and Connected Systems, with Identity Manager Updating the Distribution Password. The difference is that you make sure the Universal password and the Distribution password are not being synchronized. You do this either by not using NMAS password policies, or by using password policies with the option disabled for Synchronize Distribution Password when setting Universal Password.

Figure A-9 Tunneling, with Identity Manager Updating the Distribution Password

Scenario 4

Figure A-9 illustrates the following flow:

  1. Passwords come in through Identity Manager.

  2. Identity Manager goes through NMAS to directly update the Distribution password.

  3. Identity Manager also uses the Distribution password to distribute passwords to connected systems that you have specified should accept passwords.

The key to this scenario is that in the NMAS password policy, Synchronize Universal Password with Distribution Password is disabled. Because the Distribution password is not synchronized with the Universal password, Identity Manager synchronizes passwords among connected systems without affecting passwords in the Identity Vault.

Although multiple connected systems are shown as connecting to Identity Manager in this figure, keep in mind that you individually create the settings for each connected system driver.

The following sections provide information and instructions for this scenario:

A.4.1 Advantages and Disadvantages of Scenario 4

Table A-4 Tunneling

Advantages

Disadvantages

Allows synchronization of passwords among connected systems, while keeping the Identity Vault password separate.

The password policy does not need to have Universal Password enabled, but the environment must support Universal Password.

Supports the Check Password Status task in iManager, if the connected system supports it.

You can specify that notification be sent if password synchronization fails.

You can reset a connected system password that does not comply with password policy.

If Universal Password and Advanced Password Rules are enabled, password policies are enforced if you specify that they should be enforced, and passwords on connected systems can be reset.

If Universal Password or Advanced Password Rules are not enabled, password policies are not enforced, and passwords on connected systems cannot be reset.

A.4.2 Setting Up Scenario 4

Use the information in the following sections to help complete the tasks in the Password Management Checklist.

Password Policy Configuration

Review your password policy to confirm the following:

  • Make sure that Synchronize Distribution Password when setting Universal Password is not selected.

    This is the key to tunneling passwords without the Identity Vault password being affected. By not synchronizing the Universal password with the Distribution password, you keep the Distribution password separate, for use only by Identity Manager for connected systems. Identity Manager acts as a conduit, distributing passwords to and from other connected systems, without affecting the Identity Vault password.

    Password Policy Settings for Scenario 4

  • Complete the other password policy settings as desired.

    The other password settings in the password policy are optional.

A.4.3 Troubleshooting Scenario 4

If password synchronization is set up for tunneling, the Distribution password is different than the Universal password and the NDS password.

See also the tips in Section 7.0, Troubleshooting Password Synchronization.

Trouble Logging in to Another Connected System that Subscribes to Passwords

This section is for troubleshooting situations where this connected system is publishing passwords to Identity Manager, but another connected system that is subscribing to passwords does not appear to be receiving the changes from this system. Another name for this relationship is a secondary connected system, meaning that it receives passwords from the first connected system through Identity Manager.

  • Turn on the +DXML and +DVRS settings in DSTrace to see Identity Manager rule processing and potential errors.

  • Set the Identity Manager trace level for the driver to 3.

  • Make sure that the Identity Manager accepts passwords (Publisher Channel) option is selected on the Password Synchronization page.

  • In the password policy, make sure that Synchronize Distribution Password when setting Universal Password is not selected.

    Identity Manager uses the Distribution password to synchronize passwords to connected systems. The Universal password must be synchronized with the Distribution password for this synchronization method.

  • Make sure the driver filter has the correct settings for the nspmDistributionPassword attribute.

  • Verify that the <password> element for an Add and a <modify-password> element have been converted to Add and Modify attribute operations for the nspmDistributionPassword. To verify, watch the DSTrace screen or file with the trace options turned on as noted in the first item.

  • Verify that the driver configuration includes the Identity Manager script password policies in the correct location and correct order, as described in Section B.0, Driver Configuration Policies.

  • Compare the password policy in the Identity Vault with any password policies enforced by the connected system, to make sure they are compatible.

E-Mails Not Generated on Password Failure

  • Turn on the +DXML setting in DSTrace to see Identity Manager rule processing.

  • Set the Identity Manager trace level for driver to 3.

  • Verify that the rule to generate e-mail is selected.

  • Verify that the Identity Vault object contains the correct value in the Internet EMail Address attribute.

  • In the Notification Configuration task, check the SMTP server and the e-mail template. See Section 5.0, Configuring E-Mail Notification.

E-mail notifications are non-invasive. They do not affect the processing of the XML document that triggered the e-mail. If they fail, they are not retried unless the operation itself is retried. Debug messages for e-mail notifications are written to the trace file.

Error When Using Check Password Status

The Check Password Status task in iManager causes the driver to be perform a Check Object Password action.

  • Make sure that the connected system supports checking passwords. See Section 3.0, Connected System Support for Password Synchronization.

    This operation is not available through iManager if the driver manifest does not indicate that the connected system supports password-check capability.

  • If the Check Object Password action returns -603, the Identity Vault object does not contain an nspmDistributionPassword attribute. Check the Identity Manager attribute filter, and the Synchronize Universal to Distribution option within the password policy.

  • If the Check Object Password action returns Not Synchronized, verify that the driver configuration contains the appropriate Identity Manager password synchronization policies.

  • Compare the password policy in the Identity Vault with any password policies enforced by the connected system, to make sure they are compatible.

  • The Check Object Password action checks the Distribution password. If the Distribution password is not being updated, Check Object Password might not report that passwords are synchronized

Helpful DSTrace Commands

+DXML: To view Identity Manager rule processing and potential error messages.

+DVRS: To view Identity Manager driver messages.

+AUTH: To view NDS password modifications.

+DCLN: To view NDS DCLient messages.