How does Password Manager synchronize passwords?
Since passwords are typically hashed on each system in a non-reversible, fashion and since different systems use incompatible password hashes, password synchronization must be an active process that takes place whenever users change their passwords.
There are really just two ways to synchronize passwords. Password Manager supports both of the possible mechanisms for password synchronization:
- Transparent synchronization:
Password Manager can be configured to intercept native password changes on certain systems and:
- Apply a password policy beyond the one built into the system where a native password change first happened and potentially reject the initial password change
- Automatically synchronize the user's other passwords, on other systems, to the same value
Systems that can trigger password synchronization are Active Directory, Windows servers, OID, Linux and Unix (various), iSeries and z/OS (optional component).
- Web-based synchronization:
Users authenticate to the Password Manager web portal, using any browser, by keying in their NOS or directory ID and password. They can then set a single password on one or more of their own IDs on one or more systems.
What kind of database does Password Manager use?
Password Manager must be configured with a SQL-based relational database. The Password Manager replicating data service can be configured to use the following SQL database engines as its physical data store:
- Microsoft SQL Server 2016/2014/2012, Standard Edition.
- Microsoft SQL Server 2016/2014/2012, Express Edition, with Advanced Services (free download from https://www.microsoft.com/en-ca/) -- suitable for development, test and very small production environments.
Password Manager maintains an identity cache in the database, which contains data about users, identity attributes and group memberships drawn from target systems every few hours. This cache significantly improves the run-time performance of Password Manager, as it eliminates the need to repeatedly connect to target systems or to an external directory, to look up the same identity attributes again and again during the course of a workflow request or interactive user session.
The identity cache built into Password Manager:
- Is not an authoritative source of data -- it is updated on a scheduled
basis (i.e., every few hours).
- Stores data in a clearly documented SQL schema, available to
3rd party reporting programs.
- Includes automatic data replication between multiple Password Manager servers. This supports both scalability and high availability.