Skip to main content

Target systems composed of multiple servers

Pass icon Applies to Bravura Pass

Some target systems are composed of multiple servers. These include:

  • Multiple Active Directory domain controllers that comprise a single domain

  • An NIS master server and multiple NIS secondary servers that make up an NIS domain

  • Operating system, DBMS, and application target systems that function as a single logical application system

It is normally desirable, and frequently mandatory, to synchronize passwords between component servers in such a composite environment. Implementing password management and synchronization on composite systems raises two technical challenges:

If the system already synchronizes passwords between components, it may do it too slowly. In these cases, Bravura Security Fabric has to take measures to replace slow, native synchronization with its own, faster synchronization. This is true of global, native-mode Active Directory networks.

If a system does not already synchronize passwords, then Bravura Pass should enforce synchronization for it. This is true of some custom and vertical-market applications.

Bravura Pass supports these systems using the concept of a sub-host. A sub-host is one of multiple target systems on which Bravura Pass can manage passwords that together form a single larger target system; for example, while an Active Directory domain is a single target system, each individual domain controller is considered a sub-host. Since native Active Directory password changes may take hours to propagate to all domain controllers in a global organization, the sub-host mechanism can be used to ensure that the new password is made available to the end-user immediately.

You can implement sub-host password management by writing a sub-host plugin – a small program that Bravura Pass runs when it needs to manage passwords on a composite target system.

Bravura Pass includes support for sub-hosts on the following target systems:

To accelerate password changes on global Active Directory domains, Bravura Pass uses the dcselect and w2kranddc plugins.

When users change their passwords in a domain:

  • The w2kranddc sub-host plugin randomly selects sub-hosts on which to make the change. Use this plugin when you have a large number of domain controllers and want to limit the number of servers on which passwords can be changed.

  • The dcselect sub-host plugin selects a domain controller based on its proximity to the user. It uses site information with IP addresses (the user’s web browser, home directory/server) to identify domain controllers where the user’s password should be changed immediately. This eliminates the latency of password propagation for the user.

    Note

    This plugin works on the domain format target address only; <UNPNAME> or <DOMAINNAME>\<USERNAME>.

w2kranddc and dcselect

The w2kranddc and dcselect sub-host plugins are run by the Help users (IDA) module, Change passwords (PSS) module, and Password Manager service (idpm ), when configured by the Program to run to generate a list of target systems plugin point.

The w2kranddc and dcselect sub-host plugins use "cached" site information stored in the following files:

  • dclist.txt – you generate this file automatically by running the dcdiscovery program

  • dc.man – (Optional) you create this file manually to add site information not included by dcdiscovery in the dclist.txt file

In order for w2kranddc or dcselect to use these files, they must be located in the \<instance>\script\ directory.

Details on dcdiscovery, dclist.txt, and dc.man are included below.

Use the dcdiscovery utility to search and archive a list of sites and domain controllers in an Microsoft Active Directory domain. The information is saved in the dclist.txt file in the \<instance>\script\ directory. You can specify another name for this file.

The dcdiscovery utility is useful in global Active Directory domains with multiple sites and domain controllers. When users change their passwords in a domain, a sub-host plugin can use the information cached by the dcdiscovery utility to immediately set the users’ passwords in the appropriate domain controllers.

The following sub-host plugins use the information archived by dcdiscovery when configured by the Program to run to generate a list of target systems plugin point:

  • dcselect selects a domain controller based on its proximity to the user. This eliminates the latency of password propagation for the user.

  • w2kranddc makes a random selection.

Both of these sub-host plugins can also use information saved in the dc.man file that you can create and install in the \<instance>\script\ directory. The dc.man file is used to save site information not saved by dcdiscovery in dclist.txt.

The dcdiscovery program automatically generates the dclist.txt file; however, in some cases, you may need to manually create this file. For example, dcdiscovery will not work if your Active Directory does not have complete site information.

Write the dclist.txt file in the following format:

DOMAIN "<domain name>"
SITENAME "<site name>" "<site description>"
DC "<domain controller name>" "<IP address>" "<optional description>"
SITELINK "<sitelink.com>"
SUBNET "<IP address range>" "<site name>"

Where each site can have zero or more domain controllers (DC), zero or more links (SITELINK), and one or more subnets (SUBNET). For example, write the dclist.txt file as:

DOMAIN "eg.com"
SITENAME "RABU.eg.com" "Sydney Office - Sydney, Australia"   
DC arbundc0.eg.com "172.25.130.252" ""   
SITELINK "RABL.eg.com"   
SITELINK "RAPL.eg.com"   
SITELINK "RASA.eg.com"   
SITELINK "YUMT.eg.com"   
SITELINK "SUTC.eg.com"   
SUBNET "172.23.204.0/23" "HTSI.eg.com"   
SUBNET "165.28.173.0/24" "SUNP.eg.com"

The dc.man file allows users to specify additional domain site and domain controller information that the automatic discovery process does not or is not able to gather. It also allows users to exclude certain sites or controllers from Bravura Security Fabric operations if there is a need to do so.

Write the dc.man file in the following format:   

DOMAIN "<domain name>"   
SITE "<site name>" "<domain controller name>"   
excludeDC "<domain controller name>"   
excludeSite "<site name>"

The excludeDC and excludeSite lines are optional. If specified, programs like dsdisc will ignore the defined domain controllers and sites. A site can be excluded, for example, to prevent dcselect from automatically choosing the site based on a user’s profile or IP address information. Domain controllers that are members of an excluded site are not automatically hidden. You must use excludeDC to exclude them.

The site name defined by SITE can include the wildcards ? for any single character and * for any number of characters. Domain controllers that are to be used as default targets can be specified using the * site. Wild cards can not be used in excludeSite definitions.

For example, write the dc.man file as:   

DOMAIN "eg.com"   
SITE "RAPL.eg.com" "arbundc0.eg.com"   
SITE "RASA.eg.com" "arbundc0.eg.com"   
SITE "RASL.eg.com" "arbundc0.eg.com"   
SITE "TAHA.eg.com" "uktcndc0.eg.com" "uktcndc1.eg.com" "uktcndc2.eg.com"   
SITE "TAVI.eg.com" "uktcndc0.eg.com" "uktcndc1.eg.com" "uktcndc2.eg.com"   
excludeDC "arbundc1.eg.com"   
excludeDC "arbundc2.eg.com"   
excludeSite "TASA.eg.com"

Requirements

The administrative account for the Active Directory domain must be able to enumerate domain controllers in the domain.

Usage

Bravura Security Fabric uses the credentials configured for the target ID to retrieve information about sites and domain controllers:

dcdiscovery.exe -t <target ID> -f <filename>

If the credentials configured for the target ID are insufficient to retrieve information about sites and domain controllers, then a different user ID and password can be specified:

dcdiscovery.exe -s <domain> -u <user> -p <password> -f <filename>

Argument

Description

-f <filename>

The name of the output file generated by the program.

By convention, this file is called dclist.txt.

-s <domain>

The domain name of the Active Directory domain to search.

-t <targetID>

The target ID of the Active Directory domain to search.

If this argument is used, then the -s, -u and -p options are not required.

-u <user>

The user ID of an administrative account in the Active Directory domain.

-p <password>

The password of the user specified by the -u option.

Examples

  1. To search a domain, by using arguments "-s", "-u" and "-p", type on one line:

    dcdiscovery.exe -s domain1 -u administrator1 -p adminpw -f dclist.txt

  2. To search an Active Directory target system defined in Bravura Security Fabric , type on one line:

    dcdiscovery.exe -t W2KDOM -f dclist.txt

To manage multiple secondary domains, allowing Bravura Pass to target a single primary domain Bravura Pass uses the discgrpw plugin.

discgrpw

Although Bravura Security Fabric can manage passwords on multiple GroupWise Domains by targeting each mail domain, this can become difficult to manage if there are a large number of domains. Alternatively, Bravura Security Fabric can target a single primary domain, and use the discgrpw sub-host plugin to manage multiple secondary domains.

During auto discovery, the connector program creates a <targetID>.map file in the format:

"user dn 1" 
"<tree>:\\domain path""user dn 2" "<tree>:\\domain path" 
...

The discgrpw sub-host plugin searches this file for the given GroupWise account, then returns the second part of the line to the GroupWise connector as the account’s server address.

The discgrpw sub-host plugin is run by the Help users (IDA) module, Change passwords (PSS) module, and Password Manager service (idpm) when configured by the Program to run to generate a list of target systems plugin point.

To replicate password changes from the main Unix target serving the Bravura Pass server to a local client machine accessed by a user, Bravura Pass uses the unixsub plugin.

unixsub

Use the unixsub sub-host plugin to replicate password changes from the main Unix target serving the Bravura Security Fabric server to a local client machine accessed by a user.

The plugin can be configured to return a list of sub-hosts from a remote IP address, or use a file mapping user IDs to IP addresses. This is controlled by the following registry settings in the

HKLM\SOFTWARE\Bravura Security\Bravura Security Fabric\<instance>\unixsub

key on the Bravura Security Fabric server:

  • Entry name remote_ip

  • Value 0 or 1, where 1 means this method will be used. This method can only be used for password changes in the Change passwords (PSS) module. It cannot be used for password changes in the Help users (IDA) module.

  • Data type REG_DWORD

  • Entry name file_map

  • Value The full path and file name of the file map. The file format is:

    joeuser 10.10.10.10

    janeuser 10.10.10.11

  • Data type REG_SZ

If neither registry setting is used, the plugin defaults to the remote IP method. If both are set, the plugin will try the remote IP method first.

The unixsub sub-host plugin is run by the Help users (IDA) module, Change passwords (PSS) module, and Password Manager service (idpm )when configured by the Program to run to generate a list of target systems plugin point.

To use the plugin, set up two Unix type targets (one for the master target and one targeting local workstations) with an identical target address. On the configuration page for the local target, type unixsub.exe in the Program to run to generate list of target systems field. Both targets retrieve the list of users from the master target. The local target also calls the plugin.

You can use a sub-host plugin to convert information about a single target system into information about multiple, subsidiary target systems.

Using an external program to provide sub-host expansion means that you can define your own target-list expansion rules to suit your requirements. This expanded list of target systems may be:

  • Fixed For example, when changing a password on system F, Bravura Pass must change passwords on systems F-1, F-2, and F-3.

  • User-selectable For example the end user or help desk user desk user may choose to set passwords on any of O-1, O-2, and O-3.

To configure Bravura Security Fabric to use a sub-host plugin, add the program name to the Program to generate a list of target systems option on the Target information page.

Input

Input to the plugin includes:

  • trigger_host The ID of the target system on which the user’s password is being changed.

  • trigger_user The profile ID of the user whose password is being changed.

  • trigger_alias The name of the account, on the trigger target system, that is owned by this user.

  • trigger_ip The IP address of the user that requested this password change. This field is only set for self-service requests. For help desk password changes this field is set to "unknown".

  • cgi_program The name of the CGI program that is calling the plugin.

  • host A block of key-value pairs that defines a target system. More than one host block may appear, with each one corresponding to a target system in the current password change request. Consists of the following:

    • host_id The target system ID

    • host_name The target system description

    • host_type The type of target system

    • host_address The target address

    • host_adminid The target administrator password

    • host_adminpass The user’s account on the target system

The following is an example of the input received by the plugin:

"" "" = {
  "trigger_host" = "AD"
  "trigger_user" = "johnd"
  "trigger_alias" = "johnd"
  "trigger_ip" = "192.168.9.10"
  "cgi_program" = "pss"
  "host" "" = {
    "host_id" = "AD"
    "host_name" = "AD1 Domain"
    "host_type" = "WIN2K"
    "host_address" = "ad1.local"
    "host_adminid" = "Administrator"
    "host_adminpass" = "letmein!"
  }
"error" = ""
}

Output

Output from the plugin includes:

  • out_host A block of key-value pairs similar to the host block used as input. At least one out_host block must appear in the output. The block consists of the following key-value pairs:

    • out_id An identifier for this server.

    • out_name The full name for this server.

    • out_type (Optional) The type of this server. Use this key-value pair if the sub-host server type is different to the target system type.

    • out_address The address for this server. This address must use an address syntax appropriate for the type of the trigger system.

    • out_adminid (Optional) The administrator login ID for this server. Use this key-value pair if the ID is different to the one entered in the input file.

    • out_adminpass (Optional) The administrator password for this server. Use this key-value pair if the password is different to the one entered in the input file.

    • out_select If "true", this server is selected by default on help desk selection screens. If "false", this server is deselected by default.

The following is an example of the output produced by the plugin:

"" "" = {
  "out_host" "" = {
    "out_id" = "AD"
    "out_name" = "First site"
    "out_type" = "WIN2K"
    "out_address" = "\\dcone.example.local"
    "out_adminid" = "psadmin"
    "out_adminpass" = "letmein!"
    "out_select" = "true"
    }
  "out_host" "" = {
    "out_id" = "AD"
    "out_name" = "Second site"
    "out_type" = "WIN2K"
    "out_address" = "\\dctwo.example.local"
    "out_adminid" = "psadmin"
    "out_adminpass" = "letmein!"
    "out_select" = "false"
   }}