Password Manager Service (idpm)

The idpm service works in conjunction with trigger programs and libraries on various systems, to implement transparent password synchronization.

Trigger systems establish a secure, encrypted TCP connection with the idpm service on the Bravura Security Fabric server. Connecting programs may:

Prompt the idpm service to evaluate a new password selected by a user, and determine whether it should be accepted (complies with password strength policy), or rejected.
Prompt you for a textual description of the current password policy.
Instruct the idpm service to synchronize a user’s passwords to a new value on all systems where the user has a login account.

The idpm program can also extend the functionality of web-based password management by allowing failed password changes to be queued for automatic retry. Password changes may then be implemented automatically for the accounts when the failed target system becomes available. Product administrators can enable queuing password changes for idpm .

By default, the idpm service is available to all users when transparent password synchronization is activated.

During auto discovery , idpm queues password changes and sesslog entries. It will run strength checks for immediate response, but will not write to the database. After the service is taken off hold, it will run through the queued commands, execute them, and delete the temporary file.

For more information on implementing transparent password synchronization, see the Transparent Password Synchronization .

Configuration

The service is automatically installed and started on the Bravura Security Fabric server during setup. You can modify the following parameters related to this service on the Service information page:

Table 1. idpm service options

Option	Description
Required parameters:
Port number this service is running on	This defaults to 3334. This port is used for communication with interceptors installed from Connector Pack 1.1 and newer. To enable communication with older interceptors, you must set a backward compatibility port, as explained below in this table. The port number selected must not be in use by any other service, including other instances of the Password Manager service (`idpm` ).
Maximum number of concurrent threads the service should run	The number of concurrent password synchronizations the Password Manager service can execute. The default is 8. You should vary this according to the load limit of the Bravura Pass server and the number and type of target systems.
Timeout for connection in seconds	The amount of time the Password Manager service will wait, once it has made a socket connection and sent a synchronization request, before killing the connection. The default is 600.
Optional parameters
Comma-delimited list of IP addresses with CIDR bitmask that are allowed to send socket requests	Bravura Security Fabric only accepts socket requests through the authorized IP/CIDR range defined in this field. Password synchronization interceptors that need to access `idpm` must be defined in this field, otherwise, their requests will be rejected. See Allowing external communication with Bravura Security Fabric . The default is 127.0.0.1/32,::1/128
Perform password strength check on non-Bravura Pass users	Select the Enable checkbox if you want the Password Manager service to enforce the password strength rules defined in Bravura Pass, when a non-Bravura Pass user (not in the user table) or a user who is not registered for transparent password synchronization changes his or her password on a trigger system.
Perform transparent password synchronization on locked out users	Select the Enable checkbox if you want the Password Manager service to enforce the transparent password synchronization on locked out users. The locked out users profile status is not affected by selecting or deselecting this option.
IDPM BLOCK CHECK ALL NODES	Controls if all replication nodes should be checked from other nodes for the blocking records when there are password reset requests from the UI and when transparent synchonization is set up. This can be disabled if only one node is available for end user password resets or when transparent synchronization is not used. The default is set to Disabled.
Enable this port for backward compatibility (to communicate with older interceptors/triggers). Must be different from Port number above	This port facilitates communication with interceptors that use legacy protocol. This includes: Unix and LDP interceptors OS/400 interceptors installed with Bravura Pass 7.0 or earlier Interceptors installed with Mainframe Connector Any interceptor installed with Bravura Pass version 6.x or older. You must use a different port number than the one specified for Port number this service is running on. If the wrong ports are used, connections are dropped and the passwords are not synchronized.

The following table lists Password Manager service events that can trigger email or updates on ticket systems.

Table 2. Password Manager service (IDPM) events that launch interface programs

Option	Description
IDPM FIND USER FAILURE	The Password Manager service attempts to check a password against password strength rules, and does not find the user in the Bravura Security Fabric database.
IDPM GROUP FAILURE	The Password Manager service attempts to synchronize a group of passwords for a user, and fails on at least one of the passwords after the specified sequence of retries.
IDPM GROUP FIRST TRY DONE	All password operations in a request have been attempted once.
IDPM GROUP NOOP	Transparent synchronization request is received for a user that does not have any other accounts to synchronize.
IDPM GROUP SUCCESS	Every password is synchronized for a user by the Bravura Security Fabric interceptor service.
IDPM REQUEUE	A single password change fails, and is queued for retries on the Bravura Security Fabric server.
IDPM SINGLE FAILURE	The Password Manager service attempts to change a single password for a user, and fails after the specified sequence of retries.
IDPM SINGLE SUCCESS	A single password is changed for a user by the Password Manager service.
IDPM STRENGTH FAILURE	The Password Manager service rejects a user’s password, because it failed at least one password policy rule. This exit point is useful for automatically sending the user a reminder describing the password policy. Known issue: Microsoft Domain Controllers trigger the Password Check notification twice when the password check fails, causing the PPCK event to trigger twice, as well as any scripting attached to this exit point. If any email is configured for this exit point, it will also be sent twice, unless the script is customized to ignore the second quick-fire event for the same account.
IDPM STRENGTH SUCCESS	A password strength check is successful.

Command-line options for idpm are listed below:

Table 3. idpm command-line options

Argument	Description
-h	Displays usage information.
-v	Displays version number only.
-clearqueue	Clears the queue. The service must be manually stopped before using this option. Warning This operation removes all records of outstanding requests.
-config	Displays service configuration information.
-server	Run the service in server mode.
-start	Starts the service.
-stop	Stops the server/service

In this section:

Password Manager Service (idpm)

Configuration

Warning

Search results