There are two types of data stored by Password Manager: Password Manager configuration data and users’ Questions and Answers profiles. Password Manager configuration data contains all settings you configure in Password Manager. Users’ Questions and Answers profiles are stored apart from the configuration data.
Q&A profiles are stored in the attribute of a user account in AD LDS that you specify during instance initialization. By default, it is the comment attribute. You can also change it after initializing a Password Manager instance; for more information, see Instance Reinitialization.
Password Manager configuration data is stored in the C:\ProgramData\One Identity\Password Manager for AD LDS folder. This folder contains two files (Shared.storage and Local.storage) and the LocalizationStorage folder.
The Shared.storage file contains configuration data that is shared among all instances of a realm: Management Policies, general settings, AD LDS connections, custom activities and workflows, instance settings, etc.
The Local.storage file contains the instance-specific settings, such as the instance name and statistics about scheduled tasks.
The LocalizationStorage folder contains the user interface texts localized in several languages.
If you install a realm (several Password Manager instances sharing the same configuration), changes in the configuration of one instance are automatically propagated to other instances. To propagate the data, Password Manager replicates the data from the shared.storage file and the LocalizationStorage folder to AD LDS.
Before being written to AD LDS, the data is split into several segments and archived.
To distribute the configuration data from one instance to another, Password Manager uses a scheduled task and the PMReplication container in a managed application directory partition to which the data is copied. The PMReplication container is an container that is automatically created in the Users container of the managed application directory partition. To this container, containers for each Password Manager realm are added. Names of these containers correspond to the realm affinity id. Each realm container has the containers for every instance belonging to this realm. Names of instance containers correspond to the instance ids.
In the instance container, several user accounts are created. The number of user accounts is one more than the number of data segments. For example, if there are twenty data segments, then the instance container has twenty one user accounts. Note, that the created user accounts are disabled.
The same attribute that you specify for storing users’ Q&A profiles is used to store the configuration data segments.The first user account stores the data replica id, all other accounts store the data segments.
Replication mechanism analyses all data segments from all instances, selects data with the latest changes and propagates it.
Note, that the access account must have the permission to create user accounts and containers in the Users container for configuration data to be replicated. For more information on configuring the access account, see Configuring Permissions for Access Account.
By default, the data to be replicated is divided into segments by a segment size (100 KB). Data can also be divided into segments according to a specified segment number.
You can also change the name of the storage container (by default, PMReplication) and the location for storing this container (by default, the Users container of a managed application directory partition), and the names of user accounts used to store data segments.
You can change replication settings by modifying the QPM.Service.Host.exe.config file located in the <Password Manager installation folder>\Service folder.
|
Caution: Editing the configuration file may cause serious problems. It is recommended to back up the file before modifying it. Edit the QPM.Service.Host.exe.config file at your own risk. |
To change replication settings
One of the authentication options offered by Password Manager is a phone-based authentication. It enables you to require users to enter a verification code on the Self-Service or Helpdesk site. The verification code can be sent as an SMS or automated call. The phone-based authentication service is by provided by TeleSign.
© 2021 One Identity LLC. ALL RIGHTS RESERVED. Feedback Terms of Use Privacy