Password Manager Service (idpm)
The idpm service works in conjunction with trigger programs and libraries on various systems, to implement transparent password synchronization.
Trigger systems establish a secure, encrypted TCP connection with the idpm service on the Bravura Security Fabric server. Connecting programs may:
Prompt the
idpmservice to evaluate a new password selected by a user, and determine whether it should be accepted (complies with password strength policy), or rejected.Prompt you for a textual description of the current password policy.
Instruct the
idpmservice to synchronize a user’s passwords to a new value on all systems where the user has a login account.
The idpm program can also extend the functionality of web-based password management by allowing failed password changes to be queued for automatic retry. Password changes may then be implemented automatically for the accounts when the failed target system becomes available. Product administrators can enable queuing password changes for idpm .
By default, the idpm service is available to all users when transparent password synchronization is activated.
During auto discovery , idpm queues password changes and sesslog entries. It will run strength checks for immediate response, but will not write to the database. After the service is taken off hold, it will run through the queued commands, execute them, and delete the temporary file.
For more information on implementing transparent password synchronization, see the Transparent Password Synchronization .
Configuration
The service is automatically installed and started on the Bravura Security Fabric server during setup. You can modify the following parameters related to this service on the Service information page:
Option | Description |
|---|---|
Required parameters: | |
Port number this service is running on | This defaults to 3334. The port number selected must not be in use by any other service, including other instances of the Password Manager service ( This port is used for communication with interceptors installed from Connector Pack 1.1 and newer. To enable communication with older interceptors, you must set a backward compatibility port, as explained below in this table. |
Maximum number of concurrent threads the service should run | The number of concurrent password synchronizations the Password Manager service can execute. The default is 8. You should vary this according to the load limit of the Bravura Pass server and the number and type of target systems. |
Timeout for connection in seconds | The amount of time the Password Manager service will wait, once it has made a socket connection and sent a synchronization request, before killing the connection. The default is 600. |
Comma-delimited list of intervals, in minutes, to wait before retrying failed requests | If a queued request fails, the Password Manager Service waits the specified time before retrying. For example, 5,5,10,10,20,20 means that Password Manager Service will retry in intervals of 5, 10, then 20 minutes until the failed target system becomes available. To specify no retries, enter a value of 0. To restore the default intervals, clear this field of all values then click Update |
Optional parameters | |
Comma-delimited list of IP addresses with CIDR bitmask that are allowed to send socket requests | Bravura Security Fabric only accepts socket requests through the authorized IP/CIDR range defined in this field. Password synchronization interceptors that need to access The default is 127.0.0.1/32,::1/128 |
Perform password strength check on non-Bravura Pass users | Select the Enable checkbox if you want the Password Manager service to enforce the password strength rules defined in Bravura Pass, when a non-Bravura Pass user (not in the user table) or a user who is not registered for transparent password synchronization changes his or her password on a trigger system. |
Perform transparent password synchronization on locked out users | Select the Enable checkbox if you want the Password Manager service to enforce the transparent password synchronization on locked out users. The locked out users profile status is not affected by selecting or deselecting this option. |
Enable this port for backward compatibility (to communicate with older interceptors/triggers). Must be different from Port number above | This port facilitates communication with interceptors that use legacy protocol. This includes:
|
IDPM BLOCK CHECK ALL NODES | Controls whether all replication nodes should be checked from other nodes for the blocking records when there are password reset requests from the UI and when transparent synchronization is set up. This can be disabled if only one node is available for end user password resets or when transparent synchronization is not used. The default is set to Disabled. |
The following table lists Password Manager service events that can trigger email or updates on ticket systems.
Command-line options for idpm are listed below:
Argument | Description |
|---|---|
-h | Displays usage information. |
-v | Displays version number only. |
-clearqueue | Clears the queue. The service must be manually stopped before using this option. WarningThis operation removes all records of outstanding requests. |
-config | Displays service configuration information. |
-server | Run the service in server mode. |
-start | Starts the service. |
-stop | Stops the server/service. |
Allowing external communication with Bravura Security Fabric
Communication with the Bravura Pass server is controlled by an access control list. When you install the Password Manager service, it automatically sets the access control for the local server, "127.0.0.1/32,::1/128", with all allowable access so that it can perform its operations with no modification.
To allow external servers access to the Password Manager service on the primary Bravura Security Fabric server, you must set up the Comma-delimited list of IP addresses with CIDR bitmask that are allowed to send socket requests on the Password Manager service information page.
The external server ACLs are based on a server’s IP address defined using Classless Inter-Domain Routing (CIDR) notation , which allows for address ranges.
Testing
To verify that the service is running, try to connect to the port number it uses with Telnet. For example, from the Bravura Security Fabric server, type:
telnet localhost 3334
You should see nothing returned.
If using load balancers, do not configure any SSL options for transparent synchronization traffic. SSL options should only be configured on load balancers for WebUI traffic, not transparent synchronization. Transparent synchronization is encrypted using a proprietary encryption algorithm. Contact support@bravurasecurity.com for more details.
Monitoring transparent password synchronization
Managing the Password Manager Service queue
Monitor transparent password synchronization by running synchronization reports. You may need to remove queued items to improve performance.
By selecting unwanted queued transparent synchronization items and removing them, the items will not be retried to synchronize to their destination targets and will be marked as failed synchronization.
To remove items from the transparent synchronization queue:
Click Manage the system > Maintenance > Services.
Select Bravura Security (idpm ) Password Manager Service.
Select Manage work queue in the bottom table.
Enter search criteria and click Search.
Select the items you want to remove and click Cancel.
Monitoring transparent password synchronization on Windows servers
Monitor the health of the Password Change Notification Module on Windows NT PDCs and Active Directory DCs. Run netstat -an to see whether there are many (more than 20 or 30) TCP connections pending between the PDC/DC and the Bravura Pass server. If so, there may be a problem with the Bravura Pass server.
Sometimes, you may find that the Password Manager service (idpm ) appears to be failing to synchronize passwords changed on a Windows server. In many cases this is caused by the Password Change Notification Module interceptor (psintcpt.dll) timing out before it has communicated a password change to idpm . The default timeout period for psintcpt.dll is 60 seconds. You can extend this timeout period in the intcptsvc.cfg file.
See Password interceptor service (intcptsvc) configuration for more information.
Warning
It is strongly recommended that you edit intcptsvc.cfg only under the direction of a Bravura Security support technician.
The password interceptor service, intcptsvc, is part of the Bravura Security Password Change Notification Module, which also includes the psintcpt.dll. The service queues DLL requests and communicates with the Password Manager service (idpm). The DLL is loaded into the Windows Local Security Authority (LSA) policy to capture native password changes.
This section explains how you can extend functionality of the Password Change Notification Module to include using different interceptor settings based on user’s DN, group and attributes.
This service is installed by intcpt.msi or intcpt-64.msi on a Windows transparent password synchronization trigger.
You can configure the interceptor service, intcptsvc, to include or exclude certain users when they make password change requests on Windows trigger systems. The excluded requests are not sent to the Password Manager service (idpm), but are instead processed by the Windows password change facility as usual. This can be used to reduce network traffic between the trigger system and idpm.
You can configure the Password Change Notification Module filter using the configuration file, intcptsvc.cfg, located in:
<Program Files path>\Bravura SecurityPassword Filter\service\
See the intcptsvc.cfg file for basic instructions, and samples located in:
<Program Files path>\Bravura SecurityPassword Filter\samples\
Caution
Do not alter instsvc.cfg unless you know what you are doing.
For deployments on Windows NT environments, areas that are commented out should not be edited, due to limitations of Windows NT.
The sample intcptsvc.cfg file below shows a modified configuration file for an Active Directory environment. In this file:
The
QueryAttributesgroup has been edited to specify attributes to query.Using
QueryAttributes = Allmay slow down interceptor performance because it needs to retrieve all user attributes that have values (non blank). This option is suitable for designing the configuration at the early stage. You can then specify individual attributes once you know what you are looking for.Bypass defines matching that will not be sent to the Password Manager service for password strength checking and password synchronization.
When used with the NotAny operation, it includes the defined accounts; that is to say, "do not skip these accounts".
BypassNotifydefines matching accounts that will not be sent to the Password Manager service for password synchronization.The configuration file maps to one Password Manager service only. The case below is mapped to the service at IP address 10.0.5.8, port 3334. This can be the virtual IP of a Network Load Balancer.
One physical Active Directory DC maps to two logical Target IDs in Bravura Security Fabric:
End_UsersandAdmin_Userslogical targets in Bravura Pass. These two targets map to different target groups with their own password policies.
The idea here is that the Active Directory accounts meet administrator criteria:
Is, at least, a member of specified administrator groups; specified by the Bypass operation "
NotAny" "memberof", which has the effect of including defined accounts.Is not the specified account names;
GuestandKrbtgt.Is not a disabled account; specified by
userAccountControl match "([0-1])*10")
If an administrator is a member of Domain Administrators group, his changing password will be examined by the Password Manager service, but it will not be synchronized to other associated targets. Instead, his password will be changed locally only.
See the Sample intcptsvc.cfg file for more information.
See also
Use the following utilities, shipped with the Password Change Notification Module, to help write the configuration file:
Use the
userattrsprogram to query account attributes in Microsoft Active Directory; to find specific useful attributes that may be used as search criteria in designing theintcptsvcconfiguration file.Use the
verifycfgprogram to verify that a given account will be bypassed by password strength checking and/or synchronization, according to per-target criteria set in the specifiedintcptsvcconfiguration file. Neither actual account strength checking, nor synchronization, is performed by this utility. This tool is useful for verifying whether the configuration file is designed properly before putting the interceptor online.
1# KVGROUP-V2.0
config "" = {
3 PMServer = {
Address = 10.0.5.8;
5 Port = 3334;
ConnectTimeOut = 10; # default timeout 10 seconds
7 # How many times retry if connection or communication failed
MaxRetry = 10; # default maximum retry times is 10;
9 RetryDelay = 5; # default interval between each retry
};
11 # The total timeout for doing password strength check on all targets
StrengthCheckTimeOutSeconds = 60;
13 # How many time retry if IDPM server returns recoverable error
StrengthCheckRetry = 3;
15 # Queue polling time
QueuePollTimeSeconds = 60;
17 # Queued item will discarded if exceed this setting
NotificationExpireSeconds = 86400;
19 # Discard this notification if it has been tried max times
DiscardNotificationAfterTried = 100;
21 # if an exception occurred, 1 -- return StrengthCheck succeeded, 0 -- return strength check failed
BypassStrengthOnException = 1;
23 MaxSessionLifeSeconds = 60; # default max life time for session is 60
25 # regular expression to bypass both strength check and password change notification based on
# sAMAccountName before retrieving account attributes.
27 # Default setting is for bypassing empty user name and computer account
sAMAccountNameBypassRegEx = "^\\s⋆$|^.⋆\\$+$";
29
# ADsPath has the syntax as: LDAP://HostName[:PortNumber][/DistinguishedName]
31 # following variables can be used for the HostName and DistinguishedName
# %PDC% -- primary domain controller
33 # %DC% -- default domain controller
# %DN% -- default naming context
35 ADsPath = "LDAP://%DC%/%DN%";
37 # LDAP search filter for querying account's attributes, the account name variable %USER% can be used in the filter
# %USER% -- the account name
39 # ADsSearchFilter = "(&(objectCategory=person)(objectClass=user)(sAMAccountName=%USER%))";
ADsSearchFilter = "(sAMAccountName=%USER%)";
41
# QueryAttributes defines attributes that will be used by the PSLang BypassCheck
43 # function and the Target-based bypass check for integrating with Active Directory.
# There is one inherent attribute, '_AccountName_'; this is the only
45 # attribute that can be supported on a non-Active Directory platform.
# Following are sample attributes for and Active Directory provider.
47 # Specifying "All" as QueryAttributes, instead of a list of attributes,
# indicates to query all possible attributes for the user.
49 # QueryAttributes = All;
51
# Active Directory attributes sample
53 QueryAttributes = {
"distinguishedName";
55 "userAccountControl";
"memberOf";
57 "objectSid";
"pwdLastSet";
59 "replPropertyMetaData";
"whenCreated";
61 "whenChanged";
"logonHours";
63 "lastLogon";
};
65
67
Targets = {
69 End_Users = {
# IDPM return code:
71 # 0 -- Communication failure
# 1 -- Communication timeout
73 # 99 -- IDPM service internal database access failure
# 100 -- Weak password
75 # 101 -- Access denied ( ACL )
# 102 -- User not found
77 # 103 -- User has been locked out
# 104 -- User has not been registered
79 # 105 -- User has been disabled
# 106 -- Account not specified
81 # 107 -- TargetID not specified
# 119 -- Invalid operation code
83 # 120 -- Invalid request version
# 200 -- Good password
85 CheckStrengthFailIfIDPMReturn = { 100; };
CheckStrengthOnly = 0;
87 # If the target longid isn't the default sAMAccountName, define the longid as:
# LongID = "%sAMAccountName%";
89 # LongID = "DomainName\\%sAMAccountName%";
# LongID = "%distinguishedName%";
91 LongID = "LongIDMatchesPMTarget";
93 # Target based bypass setting is based on 'Condition Group', the 'Condition Group' has below definitions:
#
95 # Defines the conditions to bypass both strength check and password change notification
# Bypass "LogicalOperation" = {
97 # ConditionGroup1;
# ConditionGroup2;
99 # ...
# };
101 #
# ConditionGroup:
103 # LogicalOperation [Attribute] = {
# Expression1;
105 # Expression2;
# ConditionGroup1;
107 # ConditionGroup2;
# };
109 #
# LogicalOperations:
111 # "Any", "All", "NotAny", "NotAll"
#
113 # ComparisonOperators:
# Equal, NotEqual, Like, NotLike, Match, NotMatch, Great, Less, GreatEqual, LessEqual
115 # SpecialOperations: Exists, NotExists
#
117 # Expression:
# ComparisonOperator[:OperationModifier] = Pattern;
119 # SpecialOperations;
#
121 # The 'Match' and 'NotMatch' use TR1 Regular Expression standard and ECMA script grammar
# The 'OperationModifier' is an option for the 'ComparisonOperation', specify 'i'
123 # to make comparison case insensitive. The KVG expression treats value and
# pattern as string by default, use the 'OperationModifier' to specify type or transform
125 # both value and pattern before make comparision.
# 'i' -- insensitive case comparison
127 # 'b' -- convert decimal integer to bit string
# 'h' -- convert decimal integer to hexadecimal string
129 # 'B' -- convert hex string to bit string
# 't' -- convert file time integer to yyyymmddhhmmss UTC time string
131 # 'I' -- comparison as 64 bit integer for arithmetic comparison operators
#
133 # Defines the condition to bypass password change notification
# BypassNotify "LogicalOperation" = {
135 # ConditionGroup1;
# ConditionGroup2;
137 # ...
# };
139 # For example, we would like to bypass password both strength check and
# password change notification on this target for any account name starts
141 # with root or Admin or users in Administrators group or users in Managers
# group:
143 # Bypass "Any" = {
# "Any" "_AccountName_" = {
145 # Like = "root⋆";
# Like = "Admin⋆";
147 # };
# "Any" "memberOf" = {
149 # Equal = "Administrators";
# Equal = "Managers";
151 # };
# };
153
CheckStrengthFailIfIDPMReturn = { 100; };
155 CheckStrengthOnly = 0;
157 Bypass "Any" = {# Bypass strength check to Bravura Pass
"Any" "userAccountControl" = {
159 # Disabled accounts are Bypassing Bravura Pass strength check.
# Disabled accounts control numer is 2 (binary -> 10).
161
# convert userAccountControl number from decimal to bit
163 # string. Then use regular expression for comparison.
match:b = "([0-1])⋆10";
165 };
167 "Any" "logonHours" = {
Match:B = "([1])⋆";
169 };
171 "Any" "pwdLastSet" = {
match:t = "1290538([0-9])⋆";
173 };
175 "Any" "lastLogon" = {
Less:I = 128539593944756250;
177 };
179 "Any" "_AccountName_" = {
# put the computer accounts below that are bypassing Bravura Pass
181 Equal:i = "Guest";
Equal:i = "krbtgt";
183 Equal:i = "LethBridgeUser1";
};
185
"Any" "distinguishedName" = {
187 Like:i = "⋆OU=Calgary⋆";
};
189
"Any" "memberOf" = {
191 # The accounts have membership in the following groups are
# bypassing Bravura Pass
193
Like:i = "CN=Administrators,CN=Builtin⋆";
195 Like:i = "CN=Domain Admins⋆";
Like:i = "CN=Enterprise Admins⋆";
197 };
};
199
201 BypassNotify "Any" = { # Bypass password synchronization to Bravura Pass
"Any" "_AccountName_" = {
203 Equal = "LethbridgeUser2";
};
205 }; #End of BypassNotify
}; #End of 'End_Users' Target
207
209 Admin_Users = {
CheckStrengthFailIfIDPMReturn = { 100; };
211 CheckStrengthOnly = 0;
# If the target longid isn't the default sAMAccountName, define the longid as:
213 # LongID = "%sAMAccountName%";
# LongID = "DomainName\\%sAMAccountName%";
215 # LongID = "%distinguishedName%";
LongID = "LongIDMatchesPMTarget";
217
Bypass "Any" = {# Bypassing Strength Check to Bravura Pass
219 "Any" "userAccountControl" = {
# Disabled accuonts are Bypassing Bravura Pass strength check
221 match:b = "([0-1])⋆10";
};
223
"Any" "_AccountName_" = {
225 # put the computer accounts below that are BYPASSING Bravura Pass
Equal:i = "Guest";
227 Equal:i = "krbtgt";
};
229
"NotAny" "memberOf" = {
231 # The accounts have membership in the following groups are # SENDING to Bravura Pass
233 Like = "CN=Administrators,CN=Builtin⋆";
Like = "CN=Domain Admins⋆";
235 Like = "CN=Enterprise Admins⋆";
};
237 };
239
BypassNotify "Any" = { # Bypassing Password Synchronization to Bravura Pass
241 "Any" "memberOf" = {
Like = "CN=Domain Admins⋆";
243 };
245 }; #End of BypassNotify
}; #End of 'Admin_Users' Target
247
249
251
};
253 };