• Site Map
• Contact Us

• Home
• Our Company
  • Customers
  • Careers
  • Contact Us
  • RSS & Blogs
• Products
  • Identity Manager
  • Password Manager
  • Group Manager
  • Privileged Access Manager
  • Download evaluation
  • Releases
  • CCC
• Solutions
  • Security / GRC
  • Reducing IT support cost
  • Improve user service
• Support
  • Shipping products
  • Supported versions
  • Portal login
  • Report problem
• Services
  • Solution delivery
  • Methodology
  • Education
  • Upgrades
  • AdMax Program
  • Hitachi ID Systems-Managed IAM
  • Guarantee
• News &  Events
  • Press Releases
  • Press Coverage
  • Archived Webinars
• Resource Center
  • White Papers
  • Independent Reviews
  • Brochures
  • Slide Decks
  • Case Studies
  • Regulatory Compliance
  • Certifications
  • Community
• Partners
  • Technology Partners
  • Channel Partners
  • System Integrators and Consultants
  • Managed Service Providers
  • Public Sector
  • Partner Portal
  • Online partner application

Features Password synchronization Transparent password synchronization

Transparent password synchronization with Hitachi ID Password Manager

(1)When users change their password natively on a system where a password synchronization trigger has been installed, the new password is subjected to an extra password policy and, if accepted, is changed both locally and on other systems where the user has accounts.

Hitachi ID Password Manager (formerly P-Synch) includes password synchronization triggers for Windows server or Active Directory (32-bit, 64-bit), Sun LDAP, IBM LDAP, Oracle Internet Directory, Unix (various), z/OS and iSeries (AS/400).

Using a familiar and mandatory password change process guarantees 100% user adoption.

Process

Transparent password synchronization, triggered by a native password change on a monitored system works as follows:

1. User: decides to change his password(s) or has been prompted to during the login process.

2. User: enters his login ID, current password and desired value.

3. Login server: validates password quality internally, then calls a Password Manager library to further validate password quality.

4. Password Manager library: contacts the Password Manager server; establishes an encrypted connection; forwards a request for password policy validation.

5. Password Manager server: validates password quality; returns result. In the event of an attempted policy violation, Password Manager may send a message directly to the user by e-mail or a Windows pop-up message; may create an incident management system ticket and so on.

6. Login server: updates the user's password field internally, calls the Password Manager library to notify it of the successful change. Note that a failure to meet the Password Manager policy will normally block the initial password change from happening.

7. Password Manager library: contacts the Password Manager server; establishes an encrypted connection; forwards a request for password synchronization.

8. Password Manager server: queues up the new password for synchronization.

9. Password Manager server: resolves the single queued event to a list of passwords that must be set for this user (one per account).

10. Password Manager server: administratively sets the user's passwords on each system to the new value.

11. Password Manager server: in the event of failure, re-queues and retries; may send the user one or more e-mails to notify of the problem; may create a ticket on an incident management system to alert someone of a problem.

Password synchronization triggers are provided with Password Manager for Windows server or Active Directory (32-bit, 64-bit), Sun LDAP, IBM LDAP, Oracle Internet Directory, Unix (various), z/OS and iSeries (AS/400).

Technical details

(2)

Transparent password synchronization can be triggered from native password changes on any of the following systems:

• Windows 2000/2003/2008 servers and Active Directory domains (password filter DLL on servers and/or DCs).
• z/OS mainframes with RACF, ACF2 or TopSecret security products (security exit in the LPAR with the security products).
• OS/400, iSeries servers.
• Unix servers (passwd program wrapper binary or PAM).
• Sun/Oracle and IBM LDAP servers (attribute change filter on the directory server).

Each of these triggers contacts the Password Manager server twice per password change, over an encrypted TCP/IP socket (shared key handshake, 128-bit AES encryption):

• First connection: validate password quality, possibly reject the user's choice of a new password and block the triggering password change due to policy violation
• Second connection: initiate transparent password synchronization

© Hitachi ID Systems, Inc. . All rights reserved.