Modifying Advanced Settings
Using the advanced settings you can specify the following:
- Encryption algorithm - use this setting to select the encryption algorithm that is used to encrypt users’ answers to secret questions and other security sensitive information. You can select from two options: Triple DES and AES. By default, Password Manager uses Triple DES algorithm to encrypt data. Note, that users’ answers will be encrypted if the “Store answers using reversible encryption” option is selected in the Q&A Profile settings. Otherwise, the answers will be hashed.
- Encryption key length - use this setting to select whether a 192-bit or 256-bit encryption key will be used.
- Attribute for storing Q&A profiles - use this setting to enter the attribute name that will be used for storing Q&A profile data. By default, Password Manager stores Q&A profile data in the comment attribute of each user's account and the configuration data in the comment attribute of a configuration storage account, which is automatically created when installing Password Manager.
If you change encryption settings and the attribute for storing Q&A profiles, the current instance will be excluded from a realm it belongs to and users may lose their Q&A profiles.
When you change these settings, do the following to keep users’ Q&A profiles:
- Export the current configuration when saving updated instance settings.
- Update Q&A profiles using the Migration wizard (upload the exported configuration to the wizard) on the current instance.
- To replicate new settings and updated Q&A profiles export the updated configuration from the current instance and import the configuration to other instances.
If you do not use the Migration wizard to update users’ Q&A profile after changing the settings, users will have to re-register with Password Manager.
- Hashing algorithm - use this setting to select the hashing algorithm that will be used to hash users’ answers to secret questions. The following algorithms are available: MD5 and SHA-256. By default, Password Manager uses SHA-256 hashing algorithm. Password Manager will hash users’ answers if “Store answers using reversible encryption”option is not selected in the Q&A Profile settings.
|IMPORTANT: If you change the hashing algorithm, the selected algorithm will be applied to newly created Q&A profiles only. Existing Q&A profiles will be hashed with the previously selected algorithm.|
To modify the advanced settings
- On the home page of the Administration site, click General Settings|Instance Reinitialization, and expand the Advanced settings section.
- From the Encryption algorithm drop-down list, select the encryption algorithm for encrypting users’ answers to secret questions and other security sensitive data.
- From the Encryption key length drop-down list, select whether a 192-bit or 256-bit encryption key will be used to encrypt data.
- In the Store user’s Questions and Answers profile in the following attribute of user’s account in AD LDS text box, enter the attribute name of user account in AD LDS in which you want to store user’s Q&A profile.
- From the Hashing algorithm drop-down list, select the algorithm that will be used to hash users’ authentication answers.
- Click Save.
- In the Reinitialize Instance dialog box, enter a password for the configuration file that you should export to update users’ Q&A profiles and click Export.
- Click Save.
To update users’ Q&A profiles with new instance settings
- Run the Migration wizard from the Password Manager CD autorun window.
- On the Welcome page, select the Update users’ Q&A profiles with new instance settings task.
- On the next page, upload the configuration file you exported when reinitializing the instance. Click Browse to select the file, enter the password you specified for the file, and click Next.
- Select users whose Q&A profiles you want to update and click Next. To select groups, click Add and do the following:
- In the Add Groups dialog box, enter the group name, select the application directory partition from the list and click Search.
- Select the required groups in the list and click Save.
- On the next page, do one of the following and click Next:
- Click Update Q&A profiles in test mode to update profiles in test mode. Use this mode to preview the result of updating profiles.
- Click Update Q&A profiles in production mode to update profiles in production mode.
- On the status page, click View the report for detailed information to view a detailed account of updating profiles. If you updated Q&A profiles in test mode, click Update Q&A profiles in production mode.
After you have updated the Q&A profiles with new instance settings, join other instances to this realm by exporting the configuration from the current instance and importing it to other instances. For more information on how to import and export configuration settings, see Import/Export Configuration Settings.
On the Administration site you can view a list of installed Password Manager instances belonging to one realm. This information is available on the Realm Instances page.
To open the Password Manager Service Instances page, on the Administration site click General Settings. On the General Settings page, click the Realm Instances tab.
In Realm instances, the Primary instance is in red for easy identification.
All Password Manager Service instances belonging to one realm share the following settings: certificate name, port number, encryption algorithm, encryption key length, hashing algorithm, attribute for storing Q&A profile data, realm affinity ID, and configuration data. These options are configured when initializing a Password Manager Service instance. To change any of these settings, see Instance Reinitialization.
AD LDS Instance Connections
This section provides information on creating, modifying, and using connections to AD LDS instances.
Using Connections to AD LDS Instances
On the General Settings|AD LDS Instance Connections tab of the Administration site, you can view a list of available connections.
To manage AD LDS instance with Password Manager you need to create a connection to the required AD LDS instance. When adding a connection you can select an existing connection or create a new one. It is possible to use the same connection in different sections: user and helpdesk scopes, and password policies.
You can add a connection to an AD LDS instance either on the AD LDS Instance Connections tab or from the User scope, Helpdesk scope, and Password Policies pages.
Note, that when you modify the connection on the User scope, Helpdesk scope or Password Policies pages, you can select how you want to apply the updated connection settings: either for the specified section only or everywhere where this connection is used. If you choose to update settings for the specified section only, a copy of the connection will be created with these settings and will be added to the list of available connections to AD LDS instances.
|IMPORTANT: When you modify the connection on the AD LDS Instance Connections tab, the updated settings will be automatically applied everywhere where this connection is used.|
If you want to remove the connection from the list on the AD LDS Instance Connections tab, you should first remove it from all sections where it is used, and only then remove the connection from the list.