What is PasswordSync?

The PasswordSync feature keeps user password changes made on Windows Active Directory domains synchronized with other resources defined in Waveset. PasswordSync must be installed on each domain controller in the domains that will be synchronized with Waveset. PasswordSync must be installed separately from Waveset.

PasswordSync consists of a DLL (lhpwic.dll) that resides on each domain controller. This DLL receives password update notifications from Windows, encrypts them, and sends them over HTTPS to the PasswordSync servlet. The PasswordSync servlet is located on the application server running Waveset.

Using HTTPS is preferred, but HTTP is also supported.

The PasswordSync servlet translates the notification into a format Waveset can understand. The servlet then sends the password change (still encrypted) to Waveset using one of the following methods:

• Direct method. The servlet communicates the password change directly to Waveset using native Waveset classes. (See What is PasswordSync?.)

  The direct connection method is only recommended for smaller, less complex environments that only require message delivery to one system, and that do not require guaranteed message delivery. (If direct message delivery fails for some reason, the message will be lost. Back up delivery is not possible.)

• JMS method. The servlet sends the password information to Waveset using JMS (Java Message Service). With JMS, the servlet submits password changes to the JMS Message Queue. Separately, Waveset’s JMS Listener Resource Adapter checks the Queue for new messages. If a password change message is found waiting on the Queue, the JMS Listener Adapter takes the message off the Queue and imports it into Waveset. (See Figure 11–2.)

  The JMS method is recommended for more complex environments that have a high volume requirement, need messages delivered to multiple systems, and require guaranteed message delivery. The JMS Message Queue can be made highly available. As long as a message gets into the queue, if message delivery to Waveset should fail, the queue will keep the change until the message can be delivered to Oracle Waveset.

  You must install and configure JMS separately.

Figure 11–1 diagrams a direct connection. In this configuration the PasswordSync servlet sends update messages directly to Waveset.

Figure 11–1 PasswordSync Logical Diagram (Direct Connection)

Figure 11–2 diagrams a JMS connection. In this configuration the PasswordSync servlet sends update messages to the JMS Message Queue. Waveset’s JMS Listener Resource Adapter periodically checks the Queue (indicated by the light blue arrow in the diagram) for new messages. The Queue responds by sending the messages to Waveset (indicated by the dark blue arrow).

Figure 11–2 PasswordSync Logical Diagram (JMS Connection).

When Waveset receives a password change notification, it decrypts it and processes the change using a workflow task. The password is updated on all of the user’s assigned resources, and an SMTP server sends an email to the user, notifying the user of the status of the password change.

Windows only sends out an update notification if a password change is successful. If a password change request does not meet the domain’s password policy, Windows will reject it and no synchronization data will be sent to Waveset.

Figure 11–3 shows Waveset initiating a workflow and sending email to the user after receiving a password update notification.

Figure 11–3 PasswordSync Triggers a Workflow

PasswordSync discards all account change notifications for account names that end in a $ (dollar sign). Account names that end in a $ are assumed to be Windows computer accounts. Any user account names that end in a dollar sign will not be forwarded to Waveset.