Skip to main content

Implementing Transparent Password Synchronization

This section summarizes the steps required to implement transparent synchronization. It assumes basic password-management configuration is already in place (email notification, at least one target system with Bravura Security Fabric profiles).

To implement transparent password synchronization:

  1. Add target systems that trigger transparent password synchronization.

  2. If required, enable the API SOAP Service (idapisoap) and ensure interceptor hosts can access it. The API Service (idapi) configuration file requires the URL of the API SOAP Service.

    Note

    The API SOAP Service is not required for Windows or LDAP Triggers.

  3. Gather the information that you will need when you install the necessary software:

    • Trigger system’s target system ID

    • The communication key (or Master Key)

      The CommKey value is encrypted in Bravura Security Fabric . If you did not record the key in a secure location, copy the idmsetup.inf file from <instance> \ psconfig \ on the Bravura Security Fabric server to the same location as the installer. The installer will extract the Communication Key value from the file.

    • TCP port number on which the Password Manager service is listening for the LDAP interceptor.

    • URL of the API SOAP Service, for interceptors other than the LDAP and Windows interceptors.

    • DNS host name of each Bravura Security Fabric server

  4. Install the required software on the trigger system.

    See: See the for details.

  5. Inform users that:

    • All password changes (for users with a Bravura Security Fabric profile ID) will be subject to the password policies enforced on the Bravura Security Fabric server. By default, transparent password synchronization is available to all users.

    • When users change their passwords on the relevant system (Microsoft Active Directory, LDAP Directory Service, OS/390), their new password is automatically applied to all their accounts on other systems.

Options

You can configure the following if required:

  • The Password synchronization registration (PSR) module

    This method of user education requires users to register for transparent synchronization, using the Password synchronization registration (PSR) module. This ensures users actively understand and accept the changes. You must enable the Password synchronization registration (PSR) module to activate this feature.

  • Target system groups

    This allows you to apply different password policies and synchronization rules to groups of target systems.

    The default target system group is configured to enable transparent password synchronization. Bravura Security recommends that all target systems belong to a single target system group, and are subject to a single password policy.

  • Transaction Monitor Service (idtm)

    The Password Manager service is installed and started by default. You can set options for thread count, password change queuing, and integration with older Password Manager service (idpm ) services. You can also set the Password Manager service to enforce the password strength policy for non- Bravura Pass users. Several synchronization events can be configured to trigger email notification or other external programs.

  • User notification

    You can use the Bravura Security Fabric notification system to warn users of pending password expiry.

Password synchronization registration (PSR)

When transparent password synchronization is implemented, it is important for users to understand the new password composition rules that Bravura Pass enforces over native password changes made on individual systems. Users also need to understand that password synchronization takes place automatically after they change their own password on a trigger system.

Bravura Pass incorporates a web-based registration module, intended to prompt users for active confirmation that they understand what transparent synchronization does for them. When the Password synchronization registration (PSR) module is activated, users are not affected by transparent password synchronization until they actively “register” for it.

The Password synchronization registration (PSR) module is disabled by default. You must enable it to allow users to access this feature.

Warning

Bravura Security recommends that password synchronization be applied to all users. Registration can be used to implement password synchronization on a user-by-user basis; however, there are incompatibilities between password synchronization registration and IVR and the Bravura Pass API. If password synchronization registration is enabled, IVR and the Bravura Pass API may not be able to find users.

It is recommended that password synchronization registration only be used as an educational tool. If this module is not enabled, all Bravura Pass users are automatically subjected to password synchronization when it is activated. You can enforce registration via the PSF FORCE ENROLLMENT setting .

To configure password synchronization registration:

  1. Click Manage the system > Modules> Password synchronization registration (PSR).

  2. Turn on the PSR ENABLED setting.

  3. If required, configure event options, listed in Table 1, “Password synchronization registration (PSR) module events that launch interface programs.

  4. Click Update to submit the changes.

  5. Restart the Password Manager service to apply your settings.

    Caution

    The Password Manager service must be restarted after transparent synchronization is enabled. If it is not restarted, users may remain automatically subjected to transparent synchronization despite not being actively registered.

See also

Transparent synchronization and generated passwords

Transparent password synchronization is incompatible with a security policy that mandates that users must select from a set of randomly generated passwords (by enforcing the ”Be one of the N suggested passwords” rule), because even with the interceptor, the OS has no way to supply this list.

If users must select from a set of randomly generated passwords, they must use the Bravura Security Fabric web interface to change their passwords.

Load Balancing

By default, the Password Manager service will be running on each Bravura Pass server. However, only one server hostname may be provided to each transparent synchronization interceptor. If multiple Bravura Pass servers are operating, it is usually desirable to balance the transparent synchronization load between them dynamically and provide for transparent fail-over.

Round-robin DNS, or assigning multiple address records to a hostname, can be helpful for load balancing. In this configuration, an additional hostname should be set up with a record for each Bravura Pass server, and this hostname should be provided to the transparent synchronization interceptor installed on each target system. Target systems will then choose from the list of servers each time they make a request. This method does not provide fail-over.

Transparent synchronization requests can also be handled by a load balancer. Though no specific load balancer is endorsed for this purpose, the following criteria for its configuration apply:

  • No heartbeat should be done on either of the ports used by idpm . Use loadbalancerstatus to probe the health of nodes.

  • Persistent or sticky connections are required. Having once connected, a host’s traffic should be directed to the same server for considerably longer than the maximum request time. 3-5 minutes is suitable for most environments.

  • The traffic must be load balanced as a raw TCP stream. As it is encrypted, the load balancer should attempt no translation or validation on it.

  • The load balancer’s address facing the Bravura Pass server must be configured in the list of IP addresses from which Password Manager service will allow requests.

  • A firewall should restrict access to the load balancer so that only those hosts intended to be sources of transparent synchronization events may connect to the Password Manager service service. The CIDR bitmask option provided in the Password Manager service service configuration is ineffective if hosts can connect through a load balancer.

If using load balancers, do not configure any SSL options for transparent synchronization traffic. SSL options should only be configured on load balancers for WebUI traffic, not transparent synchronization. Transparent synchronization is encrypted using a proprietary encryption algorithm. Contact support@bravurasecurity.com for more details.

In this section: