Previous      Contents      Index      Next
Sun[TM] Identity Manager 8.0 Administration

Chapter 11
PasswordSync

PasswordSync detects user password changes initiated on Windows domains and forwards those changes to Identity Manager. Identity Manager then synchronizes password changes with the other resources defined in Identity Manager.

This chapter is organized as follows:

What is PasswordSync?
Before You Install
Installing PasswordSync on Windows
Configuring PasswordSync
Debugging PasswordSync on Windows
Uninstalling PasswordSync on Windows
Deploying PasswordSync on the Application Server
Configuring PasswordSync with a Sun JMS Server
Frequently Asked Questions about PasswordSync
Frequently Asked Questions about PasswordSync

---

What is PasswordSync?

The PasswordSync feature keeps user password changes made on Windows Active Directory domains synchronized with other resources defined in Identity Manager. PasswordSync must be installed on each domain controller in the domains that will be synchronized with Identity Manager. PasswordSync must be installed separately from Identity Manager.

PasswordSync consists of a DLL (lhpwic.dll) that resides on each domain controller. This DLL receives password update notifications from Windows, encrypts them, and sends them over HTTPS to the PasswordSync servlet. The PasswordSync servlet is located on the application server running Identity Manager.

Note	Sun recommends using HTTPS. HTTP, however, is also supported.

The PasswordSync servlet translates the notification into a format Identity Manager can understand. It then sends the password change (still encrypted) to Identity Manager using one of the following methods:

The Direct method - The servlet communicates the password change directly to Identity Manager using native Identity Manager classes. (See Figure 11-1.)

The direct connection method is only recommended for smaller, less complex environments that only require message delivery to one system, and that do not require guaranteed message delivery. (If for some reason direct message delivery were to fail, the message would be lost. Backup delivery is not possible.)

The JMS method - The servlet sends the password information to Identity Manager using JMS (Java Message Service). With JMS, the servlet submits password changes to the JMS Message Queue. Separately, Identity Manager’s JMS Listener Resource Adapter checks the Queue for new messages. If a password change message is found waiting on the Queue, the JMS Listener Adapter takes the message off the Queue and imports it into Identity Manager. (See Figure 11-2.)

The JMS method is recommended for more complex environments that need messages delivered to multiple systems, as well as guaranteed message delivery. (The JMS Message Queue can be made highly available. And, if message delivery should fail, the Queue will keep the change until it can be delivered to Identity Manager.)

JMS, however, must be installed and configured separately.

Figure 11-1 diagrams a direct connection. In this configuration the PasswordSync servlet sends update messages directly to Identity Manager

Figure 11-1  PasswordSync Logical Diagram (direct connection).

Figure 11-2 diagrams a JMS connection. In this configuration the PasswordSync servlet sends update messages to the JMS Message Queue. Identity Manager’s JMS Listener Resource Adapter periodically checks the Queue (indicated by the light blue arrow in the diagram) for new messages. The Queue responds by sending the messages to Identity Manager (indicated by the dark blue arrow).

Figure 11-2  PasswordSync Logical Diagram (JMS connection).

When Identity Manager receives a password change notification, it decrypts it and processes the change using a workflow task. The password is updated on all of the user’s assigned resources, and an SMTP server sends an email to the user, notifying the user of the status of the password change.

Note	Windows only sends out an update notification if a password change is successful. If a password change request does not meet the domain’s password policy, Windows will reject it and no synchronization data will be sent to Identity Manager.

Figure 11-3 shows Identity Manager initiating a workflow and sending email to the user after receiving a password update notification.

Figure 11-3  PasswordSync triggers a workflow.

d

Note	PasswordSync discards all account change notifications for account names that end in a $ (dollar sign). Account names that end in a $ are assumed to be Windows computer accounts. Any user account names that end in a dollar sign will not be forwarded to Identity Manager.

---

Before You Install

The PasswordSync feature can be set up only on Windows 2003 and Windows 2000 domain controllers. (Support for Windows NT domain controllers has been discontinued in version 8.0 of Identity Manager.) You must install PasswordSync on each primary and backup domain controller in the domains that will be synchronized with Identity Manager. Configuring PasswordSync for HTTPS is highly recommended.

Note	Versions of PasswordSync that are older than version 7.1.1 should be updated to at least version 7.1.1 on all domain controllers. Support for the rpcrouter2 servlet has been deprecated in version 8.0, and will be removed in a future release. PasswordSync versions 7.1.1 and newer support the new protocol.

If using JMS, PasswordSync requires connectivity with a JMS server. See the JMS Listener resource adapter section in the Sun Identity Manager Resources Reference for more information about the requirements for the JMS system.

In addition, PasswordSync requires you to

Install at least Microsoft .NET 1.1 on each domain controller
Remove any previous versions of PasswordSync

These requirements are discussed in more detail in the following sections.

Install Microsoft .NET 1.1

To use PasswordSync, you must install the Microsoft .NET 1.1 Framework. This Framework is installed by default if you are using a Windows 2003 domain controller. If you are using a Windows 2000 domain controller, you can download the toolkit from the Microsoft Download Center at:

http://www.microsoft.com/downloads

Note	Enter NET Framework 1.1 Redistributable in the Keywords search field to quickly locate the framework toolkit. The toolkit installs the .NET 1.1 framework.

Configure PasswordSync for SSL

Although sensitive data is encrypted before being sent to the Identity Manager server, Sun Microsystems recommends configuring PasswordSync to use a secure SSL connection (that is, an HTTPS connection).

For information on how to install imported SSL certificates, see this Microsoft Knowledge Base How-To article:

http://support.microsoft.com/kb/816794

Once you have installed PasswordSync, you can test that your SSL connection is properly configured by specifying an HTTPS URL in the PasswordSync configuration dialog. See Testing Your Configuration for instructions.

Uninstall Previous Versions of PasswordSync

You must remove any previously installed instances of PasswordSync before installing a later version.

If the previously installed version of PasswordSync supports the IdmPwSync.msi installer, you can use the standard Windows Add/Remove Programs utility to remove the program.
If the previously installed version of PasswordSync does not support the IdmPwSync.msi installer, use the InstallAnywhere uninstaller to remove the program.

---

Installing PasswordSync on Windows

The following procedure describes how to install the PasswordSync configuration application.

Note	You must install PasswordSync on each domain controller in the domains that will be synchronized with Identity Manager. Be sure to uninstall any previously installed versions of PasswordSync before continuing.

To install PasswordSync, follow these steps:

From the Identity Manager installation media, double-click pwsync\IdmPwSync_x86.msi if installing to a 32-bit version of Windows, or double-click pwsync\IdmPwSync_x64.msi if installing to a 64-bit version of Windows.

The Welcome window is displayed.

The installation wizard provides the following navigational buttons:

Cancel: Click to exit the wizard at any time without saving any of your changes.
Back: Click to return to a previous dialog box.
Next: Click to progress to the next dialog box.
Read the information provided on the Welcome screen, and then click Next to display the Choose Setup Type PasswordSync Configuration window.
Click either Typical or Complete to install the full PasswordSync package, or Custom to control which parts of the package are installed.
Click Install to install the product.

A message displays to let you know if you installed PasswordSync successfully.

Click Finish to complete the installation process.

Be sure to select Launch Configuration Application so that you can begin configuring Password Sync. See Configuring PasswordSync for details about this process.

Note	A dialog stating that you must restart the system for the changes to take effect displays. It is not necessary to restart until after you have configured PasswordSync, but you must restart the domain controller before implementing PasswordSync.

Table 11-1 describes the files that are installed on each domain controller.

Table 11-1  Domain Controller Files  

Installed Component	Description
%$INSTALL_DIR$%\configure.exe	PasswordSync configuration program
%$INSTALL_DIR$%\configure.exe.manifest	Data file for the configuration program
%$INSTALL_DIR$%\passwordsyncmsgs.dll	DLL that handles PasswordSync messages
%SYSTEMROOT%\SYSTEM32\lhpwic.dll	Password Notification DLL that implements the Windows PasswordChangeNotify() function

---

Configuring PasswordSync

If you run the configuration application from the installer, the application displays the configuration screens as a wizard. After you have completed the wizard, each subsequent time you run the PasswordSync configuration application, you can navigate between screens by selecting a tab.

To configure PasswordSync, follow these steps:

Start the PasswordSync configuration application (if it is not already running).

By default, the configuration application is installed at Program Files >
Sun Identity Manager PasswordSync > Configuration.

If you do not plan to use JMS, launch the configuration application from a command line. Be sure to include the -direct flag:

C:\InstallDir\Configure.exe -direct

The PasswordSync Configuration dialog is displayed (see Figure 11-4).

Figure 11-4  PasswordSync Wizard Configuration Dialog



Edit the fields as necessary.

Server must be replaced with the fully-qualified host name or IP address where Identity Manager is installed.
Protocol indicates whether to make secure connections to Identity Manager. If HTTP is selected, the default port is 80. If HTTPS is selected, the default port is 443.
Path specifies the path to Identity Manager on the application server.
URL is generated by concatenating the other fields together. The value cannot be edited within the URL field.
Click Next to display the Proxy Server Configuration page (Figure 11-5).

Figure 11-5  PasswordSync Wizard Proxy Server Dialog



Edit the fields as necessary.

Select Enable if a proxy server is required.
Server must be replaced with the fully-qualified host name or IP address of the proxy server.
Port: Specify an available port number for the server.
(The default proxy port is 8080 and the default HTTPS port is 443.)
Click Next to display the JMS Settings dialog (Figure 11-6).

Or, if you do not plan to use JMS and you launched the configuration wizard with the -direct flag, click Next to display the User dialog. Skip to step Step 5.

Figure 11-6  PasswordSync Wizard JMS Settings Dialog



Edit the fields as necessary.

User specifies the JMS user name that places new messages on the queue.
Password and Confirm specify the password for the JMS user.
Connection Factory specifies the name of the JMS connection factory to be used. This factory must already exist on the JMS system.
In most cases, Session Type should be set to LOCAL, which indicates that a local session transaction will be used. The session will be committed after each message is received. Other possible values include AUTO, CLIENT, and DUPS_OK.
Queue Name specifies the Destination Lookup Name for the password synchronization events.
Click Next to display the JMS Properties dialog (Figure 11-7).

Figure 11-7  PasswordSync Wizard JMS Properties Dialog



The JMS Properties dialog allows you to define the set of properties that are used to build the initial JNDI context. The following name/value pairs must be defined:

java.naming.provider.url — The value must be set to the URL of the machine running the JNDI service.
java.naming.factory.initial — The value must be set to the classname (including the package) of the Initial Context Factory for the JNDI Service Provider.

The Name pull-down menu contains a list of classes from the java.naming package. Select a class or type in a class name, then enter its corresponding value in the Value field.

If you do not plan to use JMS and you launched the configuration wizard with the -direct flag, configure the User tab. Otherwise, skip this step and go to the next step.

To configure the User tab, edit the fields as necessary.

Account ID specify the user name that will be used to connect to Identity Manager.
Password specify the password that will be used to connect to Identity Manager.
Click Next to display the Email dialog (Figure 11-8).

Figure 11-8  PasswordSync Wizard Email Dialog



The Email dialog enables you to configure whether to send an email notification when a user’s password change does not synchronize successfully due to a communication error or other error outside of Identity Manager.

Edit the fields as necessary.

Select Enable Email to enable this feature. Select Email End User if the user is to receive notifications. Otherwise, only the administrator will be notified.
SMTP Server is the fully qualified name or IP address of the SMTP server to be used when sending failure notifications.
Administrator Email Address is the email address used to send notifications.
Sender’s Name is the “friendly name” of the sender.
Sender’s Address is the email address of the sender.
Message Subject specifies the subject line of all notifications
Message Body specifies the text of the notification.

The message body may contain the following variables.

$(accountId) — The accountId of the user attempting to change password.
$(sourceEndpoint) — The host name of the domain controller where the password notifier is installed, to help locate troubled machines.
$(errorMessage) — The error message that describes the error that has occurred.
Click Finish to save your changes.

If you run the configuration application again, a set of tabs is displayed instead of a wizard. If you wish to display the application as a wizard, type the following command from the command line:

C:\InstallDir\Configure.exe -wizard

To test your PasswordSync configuration, see Testing Your Configuration.

---

Debugging PasswordSync on Windows

See the Identity Manager Tuning, Troubleshooting, and Error Messages book for information on troubleshooting PasswordSync on Windows.

Error Logs

PasswordSync writes all failures to the Windows Event Viewer. (For help using Event Viewer, see Windows Help.) The source name for error log entries is PasswordSync.

---

Uninstalling PasswordSync on Windows

To uninstall the PasswordSync application, go to the Windows Control Panel and select Add or Remove Programs. Then select Sun Identity Manager PasswordSync and click Remove.

Note	PasswordSync can also be uninstalled (or reinstalled) by loading the Identity Manager installation media and clicking on the pwsync\IdmPwSync.msi icon.

You must restart your system to complete the process.

---

Deploying PasswordSync on the Application Server

Once PasswordSync is installed on your Windows domain controllers, you need to take additional steps on the application server running Identity Manager.

You do not need to install the PasswordSync servlet on the application server. It is automatically installed when you installed Identity Manager.

To finish deploying PasswordSync, however, you do need to perform the following actions in Identity Manager:

Add and configure the JMS Listener Adapter (if using JMS)
Implement the “Synchronize User Password” Workflow
Set up notifications

Adding and Configuring a JMS Listener Adapter

If the PasswordSync servlet is using JMS to send messages to Identity Manager, you need to add Identity Manager’s JMS Listener resource adapter. The JMS Listener resource adapter periodically checks the JMS Message Queue for messages placed there by the PasswordSync servlet. If the Queue contains a new message, it sends it to Identity Manager for processing.

To add the JMS Listener resource adapter, follow these steps.

Log on to the Identity Manager Administrator Interface ((more...) ).
Click Resources.
Click Configure Types in the secondary menu.

The “Configure Managed Resources” page opens.

Verify that the checkbox in the Managed? column is selected for JMS Listener. (See Figure 11-9.)

If it is not selected, select the checkbox and click Save. Otherwise, go to the next step.

Figure 11-9 shows the “Configure Managed Resources” page. Verify that JMS Listener is selected.

Figure 11-9  The “Configure Managed Resources” page.

Click List Resources in the secondary menu.
Locate the Resource Type Actions drop-down menu and select New Resource.

The “New Resource” page opens.

Select JMS Listener from the drop-down menu and click New. (See Figure 11-10.)

The “Create JMS Listener Resource Wizard” Welcome page opens. Click Next to start the configuration wizard.

Figure 11-10 shows the New Resource Wizard. To add the JMS Listener Adapter, select JMS Listener from the list.

Figure 11-10  The New Resource Wizard.

Complete the form on the “Resource Parameters” wizard page. Click Next when you are done.

You must configure the following settings:

Destination Type — This value will typically be set to Queue. (Topics are not usually relevant because there is one subscriber and potentially multiple publishers.)
Initial context JNDI properties — This text box defines the set of properties that are used to build the initial JNDI context. The following name/value pairs must be defined:
java.naming.factory.initial — The value must be set to the classname (including the package) of the Initial Context Factory for the JNDI Service Provider.
java.naming.provider.url — The value must be set to the URI of the machine running the JNDI service.

It may be necessary to define additional properties. The list of properties and values should match those specified on the JMS settings page on the JMS server.

For example, to provide the credentials and bind method, you may need to specify the following sample properties:

java.naming.security.principal: Bind DN (for example, cn=Directory manager)
java.naming.security.authentication: Bind method (for example, simple)
java.naming.security.credentials: Password
JNDI name of Connection factory — The name of a connection factory, as defined on the JMS server.
JNDI name of Destination — The name of a destination, as defined on the JMS server.
User and Password — The account name and password of the administrator that requests new events from the queue.
Reliable Messaging Support — Select LOCAL (Local Transactions). The other options are not applicable for password synchronization.
Message Mapping —
Enter java:com.waveset.adapter.jms.PasswordSyncMessageMapper. This class transforms messages from the JMS server into a format that can be used by the Synchronize User Password workflow.

Figure 11-11  The JMS Listener Resource Wizard “Resource Parameters” page



On the “Account Attributes” wizard page, click Add Attribute.

Figure 11-12  The “Account Attributes” page of the “Create JMS Listener Resource Wizard”



Map the following attributes, which are made available to the JMS Listener Adapter by PasswordSyncMessageMapper. Refer to Figure 11-12. Click Next when you are done.
IDMAccountId: This attribute is resolved by the PasswordSyncMessageMapper, based on the resourceAccountId and resourceAccountGUID attributes passed in the JMS message.
password: The encrypted password forwarded in the JMS message.

Click Next.

The “Identity Template” wizard page opens.

Note that the attributes you added in the previous step are available in the Attribute Mappings section of the Resource Wizard (Figure 11-13).

Click Next.

Figure 11-13  JMS Listener Resource Wizard Attribute Mappings



The “Identity System Parameters” wizard page opens.

Configure the options on this page as needed.

See Sun Identity Manager Resources Reference for more information about setting up the JMS Listener resource adapter.

Implementing the Synchronize User Password Workflow

When Identity Manager receives a password change notification, it starts the “Synchronize User Password” workflow. The default “Synchronize User Password” workflow checks out the ChangeUserPassword viewer, and then checks it back in again. Next, the workflow processes all of the resources accounts (except the Windows resource that sent the initial password change notification). Finally, Identity Manager sends the user email indicating whether the password change was successful on all resources.

If you want to use the default implementation of the “Synchronize User Password” workflow, assign it as the process rule for the JMS Listener adapter instance. Process rules may be assigned when you configure the JMS Listener for synchronization (see Configuring Active Sync).

If you want to modify the workflow, copy the $WSHOME/sample/wfpwsync.xml file and make your modifications. Then, import the modified workflow into Identity Manager.

Some of the modifications you might want to make to the default workflow include:

Which entities are notified when a password is changed.
What happens if an Identity Manager account cannot be found.
How resources are selected in the workflow.
Whether to allow password changes from Identity Manager

For detailed information about using workflows, see Sun Identity Manager Workflows, Forms, and Views.

Setting Up Notifications

Identity Manager provides two email templates that can inform users whether a password change was successful across all resources. These templates are:

Password Synchronization Notice
Password Synchronization Failure Notice

Both templates should be updated to provide company-specific information about what users should do if they need further assistance. For more information see Customizing Email Templates.

---

Configuring PasswordSync with a Sun JMS Server

Identity Manager can use Java Message Service (JMS) to receive password change notifications from the PasswordSync servlet. In addition to guaranteed delivery, JMS can deliver messages to multiple systems.

Note	See the Sun Identity Manager Resources Reference for more information about this adapter.

Using a sample scenario, this section provides instructions for configuring PasswordSync with a Sun JMS server. The information is organized as follows:

Overview
Creating and Storing Administered Objects
Configuring the JMS Listener Adapter for this Scenario
Configuring Active Sync
Testing Your Configuration

Overview

This section describes the sample scenario, the Windows PasswordSync solution, and the JMS solution.

Sample Scenario

A typical (simple) use case for configuring PasswordSync with a JMS server is to enable users to change their passwords on Windows, have Identity Manager pick up the new password, and then update the user accounts with the new passwords on a Sun Directory Server.

The following environment was configured for this scenario:

Windows Server 2003 Enterprise Edition – Active Directory
Sun Identity Manager 6.0 2005Q4M3
MySQL running on Suse Linux 10.0
Tomcat 5.0.28 running on Suse Linux 10.0
Sun Message Queue 3.6 SP3 2005Q4 running on Suse Linux 10.0
Sun Directory Server 5.2 SP4 running on Suse Linux 10.0
Java 1.5 (Java 5.0)

The following files were copied to the Tomcat common/lib directory to enable JMS and JNDI:

jms.jar (from Sun Message Queue)
fscontext.jar (from Sun Message Queue)
imq.jar (from Sun Message Queue)
jndi.jar (from Java JDK)

Creating and Storing Administered Objects

This section provides instructions for creating and storing the following administered objects, which are required for the sample scenario to work successfully:

Connection factory objects
Destination objects

Administered objects can be stored either in an LDAP directory or in a file. If using a file, all instances of the file must be the same.

Information on storing administered objects in an LDAP directory is covered first. For instructions on storing administered objects in a file, go to (more...) .

Note	The instructions in this section assume you have installed Sun Message Queue. (The necessary tools are located in the bin/ directory of your Message Queue installation.) You can use either the Message Queue administrative GUI (imqadmin) or the command-line tool (imqobjmgr) to create these administered objects. The following instructions use the command-line tool.

Storing Administered Objects in an LDAP Directory

PasswordSync and the JMS Listener can be configured to use administered objects stored in an LDAP directory. Figure 11-14 illustrates the process. Both the PasswordSync Servlet and the JMS Listener adapter must retrieve connection factory and destination settings from the LDAP Directory in order to send and receive messages.

Figure 11-14  Retrieving Connection Factory and Destination Objects from the LDAP directory

This section explains how to use the Message Queue command-line tool (imqobjmgr) to store administered objects in an LDAP directory.

Storing Connection Factory Objects

Open the Message Queue command-line tool (imqobjmgr) and type the commands in Code Example 11-1 to store the connection factory objects.

Code Example 11-1  Storing Connection Factory Objects  

#> ./imqobjmgr add -l "cn=mytestFactory" -j "java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory" -j "java.naming.provider.url=ldap://gwenig.coopsrc.com:389/ou=sunmq,dc=coopsrc,dc=com" -j "java.naming.security.principal=cn=directory manager" -j "java.naming.security.credentials=password" -j "java.naming.security.authentication=simple" -t qf -o "imqAddressList=mq://gwenig.coopsrc.com:7676/jms" Adding a Queue Connection Factory object with the following attributes: imqAckOnAcknowledge [Message Service Acknowledgement of Client Acknowledgements] ... imqSetJMSXUserID [Enable JMSXUserID Message Property] false Using the following lookup name: cn=mytestFactory The object's read-only state: false To the object store specified by: java.naming.factory.initial com.sun.jndi.ldap.LdapCtxFactory java.naming.provider.url ldap://gwenig.coopsrc.com:389/ou=sunmq,dc=coopsrc,dc=com java.naming.security.authentication simple java.naming.security.credentials netscape java.naming.security.principal cn=directory manager Object successfully added.

In Code Example 11-1 imqAddressList defines the JMS server/broker hostname (gwenig.coopsrc.com), port (7676), and the access method (jms).

Storing Destination Objects

In the Message Queue command-line tool (imqobjmgr), type the commands in Code Example 11-2 to store the destination objects.

Code Example 11-2  Storing Destination Objects

#> ./imqobjmgr add -l "cn=mytestDestination" -j "java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory" -j "java.naming.provider.url=ldap://gwenig.coopsrc.com:389/ou=sunmq,dc=coopsrc,dc=com" -j "java.naming.security.principal=cn=directory manager" -j "java.naming.security.credentials=password" -j "java.naming.security.authentication=simple" -t q -o "imqDestinationName=mytestDestination" Adding a Queue object with the following attributes: imqDestinationDescription [Destination Description] A Description for the Destination Object imqDestinationName [Destination Name] mytestDestination Using the following lookup name: cn=mytestDestination The object's read-only state: false To the object store specified by: java.naming.factory.initial com.sun.jndi.ldap.LdapCtxFactory java.naming.provider.url ldap://gwenig.coopsrc.com:389/     ou=sunmq,dc=coopsrc,dc=com java.naming.security.authentication simple java.naming.security.credentials netscape java.naming.security.principal cn=directory manager Object successfully added.

Note	You can check the newly created object with an ldapsearch or an LDAP browser.

This concludes the section on Storing Administered Objects on an LDAP Server. Skip the next section, which describes how to store Administered Objects in a file, and go to the section on Configuring the JMS Listener Adapter for this Scenario.

Storing Administered Objects in a File

PasswordSync and the JMS Listener can be configured to use administered objects stored in a file. If you are not storing administered objects on an LDAP server ((more...) ), follow the instructions in this section.

Storing Connection Factory Objects

Open the Message Queue command-line tool (imqobjmgr) and type the commands in Code Example 11-3 to store connection factory objects and specify a lookup name.

Code Example 11-3  Storing Connection Factory Objects and Specifying Lookup Names

#> ./imqobjmgr add -l "mytestFactory" -j "java.naming.factory.initial= com.sun.jndi.fscontext.RefFSContextFactory" -j "java.naming.provider.url=file:///home/gael/tmp" -t qf -o "imqAddressList=mq://gwenig.coopsrc.com:7676/jms" Adding a Queue Connection Factory object with the following attributes: imqAckOnAcknowledge [Message Service Acknowledgement of    Client Acknowledgements] ... imqSetJMSXUserID [Enable JMSXUserID Message Property] false Using the following lookup name: mytestFactory The object's read-only state: false To the object store specified by: java.naming.factory.initial com.sun.jndi.fscontext.RefFSContextFactory java.naming.provider.url file:///home/gael/tmp Object successfully added. To specify a destination: #> ./imqobjmgr add -l "mytestQueue" -j "java.naming.factory.initial=com.sun.jndi.fscontext.RefFSContextFactory" -j "java.naming.provider.url=file:///home/gael/tmp" -t q -o    "imqDestinationName=myTestQueue" Adding a Queue object with the following attributes: imqDestinationDescription [Destination Description] A Description for the Destination Object imqDestinationName [Destination Name] myTestQueue Using the following lookup name: mytestQueue The object's read-only state: false To the object store specified by: java.naming.factory.initial com.sun.jndi.fscontext.RefFSContextFactory java.naming.provider.url file:///home/gael/tmp Object successfully added.

Creating the Destination on the Broker

By default, the Sun Message Queue broker allows auto-creation of the queue destination (see config.properties, where the default value for imq.autocreate.queue is true).

If the queue destination is not created automatically, you must create the destination object on the broker using the command shown in Code Example 11-4 (where myTestQueue is the destination):

Code Example 11-4  Creating a Destination Object on the Broker

name (Queue name): #> cd /opt/sun/mq/bin #>./imqcmd create dst -t q -n mytestQueue Username: <admin> Password: <admin> Creating a destination with the following attributes: Destination Name mytestQueue Destination Type Queue On the broker specified by: ------------------------- Host Primary Port ------------------------- localhost 7676 Successfully created the destination.

You can store administered objects in a directory or in a file:

In a directory: Using a directory is a centralized way of storing the Connection Factory and the Destination objects.

When you use a directory, these administered objects are stored as directory entries.

Note	If the Identity Manager PasswordSync servlet and the Identity Manager server are not on the same machine, then each of them must be able to access the .bindings file. You can repeat the administered object creation twice (on each machine) or you can copy the .bindings file to the proper location on each machine.

In a file: If the Identity Manager PasswordSync servlet and Identity Manager server are both running on the same server (or if you do not have a directory available), you can store the administrative objects in a file.

When you use a file, both administered objects are stored in a single file
(called .bindings on both Windows and Unix), under the directory you specified for the java.naming.provider.url (for example, file:///c:/temp on Windows or file:///tmp on Unix).

Configuring the JMS Listener Adapter for this Scenario

Configure the JMS listener adapter on the application server. Follow the instructions in the section Adding and Configuring a JMS Listener Adapter.

Configuring Active Sync

Next, configure the JMS Listener for synchronization. Active Sync is required if you are using JMS, but it is not used for direct connections.

To configure the JMS Listener for synchronization, follow these steps:

In the Administrator interface, click Resources in the menu.
In the Resource List, select the JMS Listener checkbox.
In the Resource Actions list, select Edit Synchronization Policy.

The Edit Synchronization page for the JMS Listener resource opens (Figure 11-15).

Figure 11-15  Configuring Active Sync for the JMS Listener



Under Common Settings, locate Proxy Administrator and select pwsyncadmin. (This administrator is associated with an empty form.)
Under Common Settings, locate Process Rule and select Synchronize User Password from the list. The default Synchronize User Password workflow takes each request that comes in from the JMS Listener adapter, checks out the ChangeUserPassword viewer, and then checks the ChangeUserPassword viewer back in.
In the Log File Path box, specify a path to a directory where the active and archived log files should be created.
For debugging purposes, set the Log Level to 4 to generate a verbose log.
Click Save.

---

Testing Your Configuration

You can use the Windows PasswordSync Configuration application to debug the Windows side of your configuration.

To test your PasswordSync configuration, follow these steps:

Start the PasswordSync configuration application, if it is not already running.

By default, the configuration application is installed at Program Files >
Sun Identity Manager PasswordSync > Configuration.

When the PasswordSync Configuration dialog displays, click the Test button.
If using JMS, the Test Connection dialog (Figure 11-16) displays, with a message stating whether the test connection completed successfully.

Figure 11-16  Test Connection Dialog



Click Close to close the Test Connection dialog.
Click OK to close the PasswordSync Configuration dialog.

The JMS Listener adapter then runs in debug mode, and generates debug information in a file, similar to the one in Figure 11-17.

Figure 11-17  Debug Information File

---

Frequently Asked Questions about PasswordSync

Can PasswordSync be implemented without a Java Messaging Service?

Yes, but doing so eliminates the advantages of using a JMS to track password change events.

To implement PasswordSync without a JMS, launch the configuration application with the following flag:

Configure.exe -direct

When the -direct flag is specified, the configuration application displays the User tab.

If you implement PasswordSync without a JMS, you do not need to create a JMS Listener adapter. Therefore, you should omit the procedures listed in Deploying PasswordSync on the Application Server. If you want to set up notifications, you may need to alter the Change User Password workflow.

Note	If you subsequently run the configuration application without specifying the -direct flag, PasswordSync will require a JMS to be configured. Relaunch the application with the -direct flag to bypass the JMS again.

Can PasswordSync be used in conjunction with other Windows password filters that are used to enforce custom password policies?

Yes, you can use PasswordSync in conjunction with other _WINDOWS_ password filters. It must, however, be the last password filter listed in the Notification Package registry value.

You must use this Registry path:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Notification Packages (value of type REG_MULTI_SZ)

By default, the installer places the Identity Manager password intercept at the end of the list, but if you installed the custom password filter after the installation, you will be required to move lhpwic to the end of the Notification Packages list.

You can use PasswordSync in conjunction with other Identity Manager password policies. When policies are checked on the Identity Manager server side, all resource password policies must pass in order for the password synchronization to be pushed out to other resources. Consequently, you should make the Windows native password policy as restrictive as the most restrictive password policy defined in Identity Manager.

Note	The password intercept DLL does not enforce any password policies.

Can the PasswordSync servlet be installed on a different application server than Identity Manager?

Yes. The PasswordSync servlet requires the spml.jar and idmcommon.jar JAR files, in addition to any JAR files required by the JMS application.

Does the PasswordSync service send passwords over to the lh server in clear text?

Although we recommend running PasswordSync over SSL, all sensitive data is encrypted before being sent to the Identity Manager server.

For information, see Configure PasswordSync for SSL.

Sometimes password changes result in com.waveset.exception.ItemNotLocked?

If you enable PasswordSync, a password change (even one initiated from the user interface), will result in a password change on the resource, which causes the resource to contact Identity Manager.

If you configure the passwordSyncThreshold workflow variable correctly, Identity Manager examines the user object and decides that it has already handled the password change. However, if the user or the administrator makes another password change for the same user, at the same time, the user object could be locked.

Previous      Contents      Index      Next

---

Part No: 820-2954-10.   Copyright 2008 Sun Microsystems, Inc. All rights reserved.