サポートと今すぐチャット
サポートとのチャット

Password Manager 5.13.1 - Administration Guide

About Password Manager Getting Started Password Manager Architecture
Password Manager Components and Third-Party Solutions Typical Deployment Scenarios Password Manager in Perimeter Network Management Policy Overview Password Policy Overview Secure Password Extension Overview reCAPTCHA Overview User Enrollment Process Overview Questions and Answers Policy Overview Password Change and Reset Process Overview Data Replication Phone-Based Authentication Service Overview
Management Policies
Checklist: Configuring Password Manager Understanding Management Policies Configuring Access to the Administration Site Configuring Access to the Self-Service Site Configuring Access to the Helpdesk Site Configuring Questions and Answers Policy Workflow overview Custom workflows Custom Activities Self-Service Workflows Helpdesk Workflows Notification Activities User Enforcement Rules
General Settings
General Settings Overview Search and Logon Options Import/Export Configuration Settings Outgoing Mail Servers Diagnostic Logging Scheduled Tasks Web Interface Customization Instance Reinitialization Realm Instances Domain Connections Extensibility Features RADIUS Two-Factor Authentication Internal Feedback Password Manager components and third-party applications Unregistering users from Password Manager Bulk Force Password Reset Fido2 key management Working with Redistributable Secret Management account Email Templates
Upgrading Password Manager Administrative Templates Secure Password Extension Password Policies Enable S2FA for Administrators & Enable S2FA for HelpDesk Users Reporting Password Manager Integration Accounts Used in Password Manager Open Communication Ports for Password Manager Customization Options Overview Feature imparities between the legacy and the new Self-Service Sites Glossary

Modifying Service Connection Settings

Using service connection settings you can specify the following:

  • Certificate name: use this setting to enter the name of the certificate for authentication and traffic encryption the Password Manager Service and the Web sites (Self-Service and Helpdesk). By default, Password Manager uses a built-in certificate issued by One Identity for this purpose. If you install the web sites on a standalone server, it is recommended to replace the default certificate with a custom certificate issued by a trusted Windows-based authentication authority.

    For more information on obtaining and installing custom certificates, see Specifying Custom Certificates for Authentication and Traffic Encryption Between Password Manager Service and Websites.

  • Port number: Use this setting to specify the port that the Self-Service and Helpdesk sites will use to connect to the Password Manager Service. By default, port 8081 is used.

    IMPORTANT: If you change the certificate and port number, the Self-Service and Helpdesk sites installed on standalone servers will be unavailable to users until you reinitialize the sites using the updated settings. For information, see Installing Legacy Self-Service, Password Manager Self-Service, and Helpdesk Sites on a Standalone Server.

To modify the service connection settings

  1. On the home page of the Administration site, click General Settings, and then click the Reinitialization tab.

  2. Under Service connection settings, from the Certificate name drop-down list, select the required certificate for authentication and traffic encryption between the Web sites (Self-Service and Helpdesk) and the Password Manager Service.

  3. In the Port number text box, enter the port number you want the Web sites to use to connect to the Password Manager Service.

  4. Click Save.

Modifying Advanced Settings

Using the advanced settings you can specify the following:

  • Encryption algorithm: Use this setting to select the encryption algorithm that is used to encrypt users’ answers to secret questions and other security sensitive information. You can select from two options: Triple DES and AES. By default, Password Manager uses Triple DES algorithm to encrypt data. Note, that users’ answers will be encrypted if the “Store answers using reversible encryption” option is selected in the Q&A Profile settings. Otherwise, the answers will be hashed.

  • Encryption key length: Use this setting to select whether a 192-bit or 256-bit encryption key will be used.

  • Attribute for storing Q&A profiles: Use this setting to enter the attribute name that will be used for storing Q&A profile data. By default, Password Manager stores Q&A profile data in the comment attribute of each user's account and the configuration data in the comment attribute of a configuration storage account, which is automatically created when installing Password Manager.

    Caution: If you change encryption settings and the attribute for storing Q&A profiles, the current instance will be excluded from a realm it belongs to and users may lose their Q&A profiles.

    When you change these settings, do the following to keep users’ Q&A profiles:

    • Export the current configuration when saving updated instance settings.

    • Update Q&A profiles using the Migration wizard (upload the exported configuration to the wizard) on the current instance.

    • To replicate new settings and updated Q&A profiles export the updated configuration from the current instance and import the configuration to other instances.

    If you do not use the Migration wizard to update users’ Q&A profile after changing the settings, users will have to re-register with Password Manager.

  • Hashing algorithm: Use this setting to select the hashing algorithm that will be used to hash users’ answers to secret questions. The following algorithms are available: MD5 and SHA-256. By default, Password Manager uses SHA-256 hashing algorithm. Password Manager will hash users’ answers if the Store answers using reversible encryption option is not selected in the Q&A Profile settings.

    IMPORTANT: If you change the hashing algorithm, the selected algorithm will be applied to newly created Q&A profiles only. Existing Q&A profiles will be hashed with the previously selected algorithm.

To modify the advanced settings

  1. On the home page of the Administration site, click General Settings > Reinitialization, and expand the Advanced settings section.

  2. From the Encryption algorithm drop-down list, select the encryption algorithm for encrypting users’ answers to secret questions and other security sensitive data.

  3. From the Encryption key length drop-down list, select whether a 192-bit or 256-bit encryption key will be used to encrypt data.

  4. From the Hashing algorithm drop-down list, select the algorithm that will be used to hash users’ authentication answers.

  5. In the Select the attribute of user’s account in Active Directory in which user’s Questions and Answers profile and Corporate phone will be stored section, provide the following data.

    • Security questions: Enter the required security question.

    • Corporate Phone: Enter the mobile number of the user.

    • Corporate email: Enter the corporate's email id of the user.

  6. Click Save.

    After clicking Save, the Reinitialize Instance dialog box appears.

  7. In the Reinitialize Instance dialog box, a password is generated for the configuration file that you should export to update users’ Q&A profiles and click Export.

  8. Click Save.

Use one of the following methods to clear old hives from AD user objects.

To update users’ Q&A profiles with new instance settings and clear old Q&A data for user objects in Active Directory

  1. Run the Migration wizard from the Password Manager CD autorun window.

  2. On the Welcome page, select the Update users’ Q&A profiles with new instance settings and clear old Q&A data for user objects in Active Directory task.

  3. On the next page, upload the configuration file you exported. Click Browse to select the file, enter the password generated while exporting the configuration file, and click Next.

  4. On the Select users page, do one of the following and click Next:

    1. If you want to convert the Q&A profiles of users from the user scope of a Management Policy, select the required policy in the Select Management Policy drop-down box and click Next.

    2. If you want to convert the Q&A profiles of a user in a user group, select The following groups. To select groups, click Add and do the following:

      1. In the Add Groups dialog box, enter the group name, select the domain from the list and click Search.

      2. Select the required groups in the list and click Save.

    3. If you want to convert the Q&A profiles of a user in an OU, select The following OUs. To select OUs, click Add and do the following:

      1. In the Add OUs dialog box, enter the OU name, select the domain from the list and click Search.

      2. Select the required OUs in the list and click Save.

  5. On the next page, do one of the following and click Next:

    1. Click Update Q&A profiles in test mode to update profiles in test mode. Use this mode to preview the result of updating profiles.

    2. Click Update Q&A profiles in test mode to update profiles in production mode.

    NOTE: For production mode, select Clear old Q&A data for user objects in Active Directory checkbox to clear old user Q&A data.

  6. On the status page, click View the report for detailed information to view a detailed account of updating profiles. If you updated Q&A profiles in test mode, click Update Q&A profiles in production mode.

Once you have updated the Q&A profiles with new instance settings, join other instances to this realm by exporting the configuration from the current instance and importing it to other instances. For more information on how to import and export configuration settings, see Import/Export Configuration Settings.

Clear old Q&A data for user objects in Active Directory

  1. Run the Migration wizard from the Password Manager CD autorun window.

  2. On the Welcome page, select the Clear old Q&A data for user objects in Active Directory task.

  3. On the Select users page, do one of the following and click Next:

    1. If you want to clear the old Q&A profiles of users from the user scope of a Management Policy, select the required policy in the Select Management Policy drop-down box and click Next.

    2. If you want to clear the old Q&A profiles of a user in a user group, select The following groups. To select groups, click Add and do the following:

      1. In the Add Groups dialog box, enter the group name, select the domain from the list and click Search.

      2. Select the required groups in the list and click Save.

    3. If you want to clear the old Q&A profiles of a user in an OU, select The following OUs. To select OUs, click Add and do the following:

      1. In the Add OUs dialog box, enter the OU name, select the domain from the list and click Search.

      2. Select the required OUs in the list and click Save.

  4. On the status page, click View the report for detailed information to view a detailed account of updating profiles. Click Finish.

NOTE: The latest version of Q&A, which is currently in use will not be deleted.

Realm Instances

On the Administration site you can view a list of installed Password Manager instances belonging to one realm. This information is available on the Realm Instances page.

To open the Password Manager Service Instances page, on the Administration site click General Settings. On the General Settings page, click the Realm Instances tab.

For each Service instance the Self-Service site URL is specified. If necessary, you can edit the URL by clicking Edit under the corresponding Service instance. In Realm instances, the Primary instance is in red for easy identification.

All Password Manager Service instances belonging to one realm share the following settings: certificate name, port number, encryption algorithm, encryption key length, hashing algorithm, attribute for storing Q&A profile data, and realm affinity ID. These options are configured when initializing a Password Manager Service instance. To change any of these settings, see Instance Reinitialization.

A Redistributable Secret Management Service (rSMS) user must be created in all the Password Manager realm instances. An rSMS user is automatically created if the imported configuration file has the rSMS account details.

Domain Connections

This section provides information on creating, modifying, and using domain connections.

関連ドキュメント

The document was helpful.

評価を選択

I easily found the information I needed.

評価を選択