Using DirX Identity Web Center for Password Management

Identity Web Center for Password Management is a web application that provides password change functionality for end users and service desk members. The application runs on Apache Tomcat and can be accessed by standard Internet browsers.

Web Center for Password Management is only available with the password management license. Its configuration and functions overlap with the full Web Center application described in the chapter "Using DirX Identity Web Center".

This chapter describes the features and functions that are specific to Web Center for Password Management and references "Using DirX Identity Web Center" for information about features that are common to both versions.

Configuring Web Center for Password Management

Configuring Web Center for Password Management consists of the following tasks:

  • Using the Web Center configuration file web.xml

  • Configuring Web Center bind passwords

  • Configuring single sign-on

  • Configuring heap size

  • Setting the default language

All of these tasks are common to both Web Center and Web Center for Password Management and are described in "Configuring Web Center".There are additional configuration parameters that are specific to Web Center for Password Management.For details, see the use case document "Password Management".

Logging In to Web Center for Password Management

Working with Web Center for Password Management is straight-forward and very easy.Open your Internet browser and type the URL for the application:

  • http://someserver:_port_/pwdManagement-technicalDomainName

where

someserver

Specifies the Web server address.

port

Specifies the Web server port number.

technicalDomainName

Specifies the technical domain name that you administered when configuring your system. (See the section "Domain Configuration" in the chapter "Configuring DirX Identity" in the DirX Identity Installation Guide for details.)

Example:

http://localhost:8080/pwdManagement-My-Company

Tomcat usually uses the port number 8080.

Web Center for Password Management next displays the login page, which contains the following fields:

Authentication Domain – your master target system. Click the down arrow to select a target system from the list. This field is only visible when external authentication is enabled and when the Web Center for Password Management’s login page is configured to display it. See the use case document "Password Management" for details

Name - your common name (usually your last name followed by your first name) or another kind of login string, for example, the UID or e-mail address, depending on the configuration of Web Center for Password Management. If configured, you can also specify only a part of the common name. In case you selected an authentication domain, your login name in the master target system (can be configured at the target system).

Password - your DirX Identity user password and/or your password in the selected authentication domain.

On this page, you can click:

Log in - to submit the login values in Name and Password to the server.

Web Center for Password Management compares the number of characters entered in the Name field with the value supplied in the loginForm.minChars parameter in the webCenter.properties file. If the subsequent search returns a unique result, Web Center for Password Management accepts the login request.

If you enter the wrong password you are prompted to correct it.

If you exceed the permitted number of failed logins (which is configured at the domain), your login is locked for some period of time, and you are redirected to the Authentication Questions dialog.

Password Forgotten - to display a dialog with challenge / response questions that allows you to set a new password.

Web Center for Password Management displays a configurable random selection of the challenge questions you have set up with the Self-Service dialog Add Authentication Questions.If you answer them correctly, you are allowed to change your password.

If you exceed the permitted number of failed attempts to answer authentication questions (which is configured at the domain), you are locked from further attempts for some time.

If you have not supplied your challenge/response questions, Web Center for Password Management prompts you to supply them after successful login.If you choose not to specify them at this time, Web Center for Password Management will prompt you again at your next session.

When you log in successfully to Web Center for Password Management using external authentication and your DirX Identity user password is different from the external master system password, Web Center for Password Management updates the user password with the master target system password and displays an informational message about the password change event.This password update can fail; for example, if the user password policy is inconsistent with the master target system password.

About the Web Center for Password Management Layout

The Web Center for Password Management page layout is the same as the full Web Center application.See the section "About the Page Layout" in the chapter "Using DirX Identity Web Center" for details.

Logging Out of Web Center for Password Management

To log out, click Logout and then click Yes in the dialog box displayed.

Using the Password Self Service Menu

This section describes how to use Web Center for Password Management Self-Service operations, including:

  • Display Summary - displays a summary of your data and the accounts you have in DirX Identity target systems

  • Change Password - changes the password of one or more of your accounts

  • Authentication Questions - manages your challenge / response questions and answers

Display Summary (Password Management)

This operation displays a summary of your user data, including general data and a list of your accounts in DirX Identity target systems.All the fields displayed in this page are read-only.See the context-sensitive help in the DirX Identity Manager or in the DirX Identity Connectivity or Provisioning Administration Guide for a description of the fields displayed in this page.

The Accounts section provides information about each account you have in a target system, including the target system name, the account state and the time and result of the last password change. Only accounts suitable for password synchronization are displayed.

Change Password (Password Management)

Use this operation to change your password. You can change your DirX Identity user password, the password of your master account and the passwords of your other accounts. The old password is always the most recent DirX Identity user password. The new password will be applied to the selected entries (User and master account, Other accounts).

The Password policy section shows the password policies that apply to your entry. When you change your password, the password you choose must comply with these policies. If there is no password policy, this part of the page is empty.

The User and master account section provides the Synchronize password box. If you want to change the master target system password and the user password, check this box. If you use external authentication the master account is displayed. For initial password setting you cannot uncheck user and master password synchronization

The Other accounts section lists the accounts you have in the connected target systems. To select the accounts whose passwords you want to change, check the box in the Synchronize Password column for the account. By default, either all of your accounts are selected (if you have never used this operation before) or the accounts you selected last time you ran the operation are selected.

The Enter password section provides fields for entering the old password and entering a new password twice. Click in the space provided in Old password and then enter your old password. Next, click the space provided in New password and enter the new password according to the criteria (if any) shown in Password policy. Click in Repeat password and then enter the new password again.

Click Submit to start the password change process, or click Cancel to exit the dialog and return to your user summary page.

When you click Submit, Web Center for Password Management opens a new page that displays the password change states (pending, succeeded or failed) for the accounts you have selected. The page is automatically refreshed until no more password change is in state pending. To avoid infinite loops, the number of attempts to determine the password changes states is limited.

Authentication Questions (Password Management)

Use this operation to manage the authentication (challenge / response) questions to be displayed if you have forgotten your password.

The authentication questions are separated in up to three sections:

  • Mandatory Questions - Your system administrator may define some questions that must be answered when authenticating via challenge/response. If so, you must define answers for these questions here.

  • Questions from Proposal List - If your system administrator has defined a list of questions suitable for challenge/response authentications, you can select and answer questions from that list here. Click the down-arrow to open the list.

  • Other Questions - You can enter and answer any question you like here provided that your system administrator has not disabled free text questions.

To add a challenge / response pair to a section, select the add icon image1at the end of the section. To remove a challenge / response pair, click the delete icon image2 in the respective row.

Click Submit to store your data. Click Cancel to return to the user summary without saving your changes.

Notes:

  • Answers are case-sensitive.When authenticating via challenge / response later on, you must specify the answers exactly as entered here.

  • Questions are always displayed in clear text, answers are always hidden.On input, you see only the number of characters you entered.Since the answers are stored in hashed format, it is impossible to recover and display them later on.However, you can overwrite your answers at any time.

  • Your system administrator can define some requirements and restrictions on challenge/response pairs, including:

  • The minimum number of questions to define and answer.

  • The minimum response length.

  • Whether identical answers to different questions are permitted.

Using the Password Service Desk Menu

This section describes how to use Web Center for Password Management’s Service Desk operations, including:

  • Users - manages users.

  • Password Policies - manages password policies.

  • Reports - generates reports on selected password management-related information.

Managing Users

Resetting a user’s password from the Web Center for Password Management Service Desk consists of the following steps:

  • Selecting the target user

  • Viewing user data

  • Resetting a user’s password

  • Releasing locks

The next sections describe these steps.

Selecting a User

To select a user, click Users and then choose Select User. Web Center displays a search panel that allows you to specify the filter items and search base for the request. Use this panel to find and select the user entry that interests you. The search base tree browser lets you select a node in the Users tree from which to start the search. Then use the Search for fields to filter the search, for example, to select only those users whose surnames begin with "F". For details on how to use the search panel, see the section "Using the Search Panel" in "Common Features for All Pages" in "About the Web Center Page Layout" in the chapter "Using Web Center". Start the search by clicking on the Search button.

A simple alternative way to search for users provides the quicksearch control in the navigation bar below the menu.

The search result list is displayed below the search panel. Click on a user to select him and view his summary page or right-click on a user to display the context menu.

Viewing User Data

The user summary page displays some user properties, the relevant user accounts with their password change states, and the attributes related to locking login or other authentication attempts (via challenge/response or one-time password). You can, for example, see whether and until when login attempts are locked, the time of the last failed login and the current number of failed logins.

The page’s toolbar contains among others icons to refresh the data, to reset the password and to unlock the user.

Resetting a User’s Password

To reset a user’s password,

  • Select Reset password from the user’s context menu in the user list.

  • Or click on the Reset password icon in the toolbar of the user’s summary page.

  • Or select the Reset password item in the Users menu.

Authenticating the User’s Identity

Web Center for Password Management displays the Authenticate Selected User dialog, which allows you to verify the user’s identity. The dialog displays the user’s name and some of his or her attributes, along with the authentication questions (if any) the user has prepared (see "Authentication Questions" for details).

You can use this information to identify the user; for example, by asking the user for the values of some of the displayed attributes (for example, the user’s office telephone number) or asking the user for the answers to some or all of the authentication questions.

If you are using the authentication questions, enter the answers that the user gives into the Answers field and then click Verify. Incorrect or missing answers are highlighted. When you are certain that you have identified the user, click Confirm; otherwise, click Cancel or continue asking the user.

Completing the Password Reset

To complete the password reset, click Confirm. This action opens the Reset the User’s Password dialog.

In the User and master account section, check or clear the Synchronize password box.

In the Other accounts section, check or clear the Synchronize Password boxes for the user’s accounts in the target systems to select or deselect them for password reset.

In the Enter password section, enter a new password in the space provided in New password according to the password policy (if any) displayed in the Password policy section, or click Generate to allow Web Center to create a new password according to the password policy. Click Submit to start the password reset process, or click Cancel to abort it. Note that if you cancel, you will still not know the current password.

When you click Submit, Web Center for Password Management opens a new page that displays the password change status (pending, succeeded or failed) for the user’s accounts you selected. The page is automatically refreshed until no more password change is in state pending.

Releasing Locks

To release a user’s locks,

  • Select Release locks from the user’s context menu in the user list.

  • Or click on the Release locks icon in the toolbar of the user’s summary page.

  • Or select the Release locks item in the Users menu.

A confirmation box pops up. Confirm that you really want to release the locks.

When confirmed, both locks are released. All lock related attributes are reset. The lock related fields on the user summary page should now be empty.

Managing Password Policies (Password Management)

Use the Password Policies page to create, modify and delete password policies. The top of the page displays a table of existing password policies.

To create a new password policy, click the Create Password Policy button. For a description of the password policy parameters, see the section "Password Policies" in the DirX Identity Provisioning Administration Guide and the topic "Password Policy Parameters" in the context-sensitive help.

To change an existing password policy, click it in the list. For a description of the password policy parameters, see the section "Password Policies" in the DirX Identity Provisioning Administration Guide and the topic "Password Policy Parameters" in the context-sensitive help.

To delete an existing password policy, check the box that appears at the beginning of its line. You can select several policies to be deleted. Click the Delete password policies button to remove the selected policies.

Running Reports

The Reports operation allows you to generate reports on selected DirX Identity objects, like users, assignments, privileges, and so on.

To select the objects on which to report, use the Search base and Scope fields in the Objects for the Report section. In the Templates section, Web Center displays the reports that you can run on the objects you selected.

For example, suppose you want to access the reports you can run on the users in the Finances organizational unit in the My-Company sample domain’s Users tree:

  • In Search base, click the tree browser icon image3. In the tree browser pop-up window, navigate to the Finances node under UsersMy-Company and then select it. The tree browser window closes and the Search base field shows Finances, My-Company, Users.

  • In Scope, use the drop-down arrow to select the search scope for the selected search base:

  • Subtree search - searches all objects under the selected tree node.

  • One level search - searches only the next level of objects under this node.

  • Base DN search - searches only the selected tree node.

  • Now the Templates section lists the available reports you can run on your selected objects. Note the pre-configured reports in the list that relate to Password Management. They are:

  • Number of registered users for Password Management - generates a report on the number of registered users in each organizational unit (a registered user is a user who has set up authentication questions for password reset; see the section "Authentication Questions" for details).

  • Users with Password Management - generates a report on users with accounts and attributes related to password management. This report is like the normal user report except for the section on Target System accounts, which shows all the accounts of the user with the target system name, the common name of the account, its state in the connected system, the time and result of the last password change and the normal flags that to indicate that the password cannot be changed, never expires or is not required.

  • Users with password management history - generates a report on per-user password changes; one password change per line.

The reports displayed in Templates depend on the list of pre-configured reports that the DirX Identity domain provides for the selected objects and on the access policies for the logged-in user. If no report templates are displayed, it means that you are not allowed to run any report on your object selection.

To run a report, click it in the list and then review the displayed result (sometimes it takes a little time for the report to be displayed). To download the report to a file, scroll to the bottom of the page and then click Save as file. Select the correct location and name of the file.