8.1 Password Synchronization with Connected Systems through Identity Manager

The password checkout/ check-in feature of PAM allows PAM to reset password on the application/ database and save the credentials in the Privileged Credential Vault whenever a user checks-in the password. But to perform the password check-in process, the administrator requires to include a script to reset the password on the required database or application and return the same value to the PAM privileged credential vault. For more information about password check-in feature, refer Managing Shared Accounts in the NetIQ Privileged Account Manager 3.0.1 Administration Guide.

If the required application/ database is already a connected system to Identity Manager, then the administrator just needs to configure some settings to perform the password check-in process through Identity Manager. The driver for PAM, and Identity Manager takes care of random password generation, password policy definition for the applications, syncing the new password to the end application and finally checking in the password to PAM.

For example: A user requires access to an application which is a connected system. To access the application user requires privileged credentials. To get privileged credentials the user checks out the password for the required application by using the PAM myaccess page. After performing required tasks on the application the user checks-in the password through PAM.

When a PAM administrator delegates the password check-in process to Identity Manager by using the Delegate to Identity Manager option in PAM, the status of the request in PAM is displayed as Checked-in delegated. The driver for PAM polls for such requests from the Publisher channel. For each request, the driver performs the following:

  1. Generates a random password: As part of the password check-in process in PAM, a random password is generated and set on the corresponding credential object. The random password is generated by using a password policy that is defined in Identity Manager. You can configure this password policy by using the Password Policy DN setting in the driver for PAM. For more information about generating password by using the password policy, refer Section 8.1.1, Password Policy for Random Password Generation.

  2. Synchronizes the password to IDM: The driver generates a modify-password event for every password check-in request that is detected by the driver. The random generated password is set in the event that get synchronized with IDM. The object for which the password is set are the PAM credential objects that are mapped to IDM DirXML-pumCredential class by default. This class has a DN attribute, DirXML-pumReferenceObject. This attribute needs to be populated with the DN of a user object that corresponds to the account on the target application whose password is to be reset, based on the password check-in operation in PAM. When the driver handles password check-in requests, it also resets the password of the user object that is populated in this reference attribute.

  3. Check-in the password to PAM: When the random password is set in Identity Manager, the same random password is checked-in to PAM. This completes the PAM password check-in process. The next time when the password is checked-out from PAM, the user can access the account with the new password and will be able to login to the target application with it because the same password gets synchronized to the target application through the driver for that target application.

NOTE:All the servers must be up and running for the password checkout/ check-in process. If the connected system is down then password synchronization does not happen.

Figure 8-1 Delegating password check-in to Identity Manager

8.1.1 Password Policy for Random Password Generation

A password policy from IDM is used for the random password generation and the policy to be used can be configured through the setting on the PAM driver. The PAM driver password GCV has the parameter called Password Policy DN that has the default value Security\Password Policies\Sample Password Policy. The default value can be changed.

Some applications have specific password policies that is defined in IDM. These password policies can be set on the PAM driver by using the Mapping Table, PasswdpolicyMapping. The Mapping Table contains the mapping between the key and the value. The key defines the application type such as LDAP, and SAP, The value defines the policy DN in a slash format. The key value is case-sensitive and should be matching with that defined in the PAM Manager.

For AccountDomains of type Application, the sub-type of the Application should be used as key value and for AccountDomains of type, Oracle DB, ORACLE should be used as the key value. If there are no values defined in the Mapping Table, then by default the Password Policy DN parameter value is used for random password generation.

Figure 8-2 Sample Mapping Table on Identity Manager Designer