Chapter 9 Password Reset Service

Access Manager provides a Password Reset service to allow users to reset their password for access to a given service or application protected by Access Manager. The Password Reset service attributes, defined by the top-level administrator, control user validation credentials (in the form of secret questions), control the mechanism for new or existing password notification, and sets possible lockout intervals for incorrect user validation.

This chapter contains the following sections:

• Registering the Password Reset Service

• Configuring the Password Reset Service

• Password Reset for End Users

Registering the Password Reset Service

The Password Reset service does not need to be registered for the realm in which the user resides. If the Password Reset service does not exist in the organization in which the user resides, it will inherit the values defined for the service in Service Configuration.

To Register Password Reset for Users in a Different Realm

1. Navigate to the realm to which you will register the password for the user.

2. Click the realm name and click the Services tab.

   If it has not been added to the realm, click the Add button.

3. Select the r Password Reset and click Next

   The Password Reset service attributes will be displayed. For attribute definitions, see the online help.

4. Click Finish.

Configuring the Password Reset Service

Once the Password Reset service has been registered, the service must be configured by a user with administrator privileges.

To Configure the Service

1. Select the realm for which the Password Reset service is registered.

2. Click the Services tab.

3. Click Password Reset from the services list.

4. The Password Reset attributes appear, allowing you to define requirements for the Password Reset service. Make sure that the Password Reset service is enabled (it is by default). At a minimum, the following attributes must be defined:

   • User Validation

     • Secret Question

     • Bind DN

     • Bind Password

       The Bind DN attribute must contain a user with privileges for resetting the password (for example, Help Desk Administrator). Due a limitation in Directory Server, Password Reset does not work when the bind DN is cn=Directory Manager.

       The remaining attributes are optional. See the online help for a description of the service attributes.

     ---

     Note –

     Access Manager automatically installs the Password Reset web application for random password generation. However, you can write your own plug-in classes for password generation and password notification. See the following Readme.html files in the following locations for samples for these plug-in classes.

     PasswordGenerator:

     AccessManager-base/SUNWam/samples/console/PasswordGenerator

     NotifyPassword:

     AccessManager-base/SUNWam/samples/console/NotifyPassword

     ---

5. Select the Personal Question Enabled attribute if the user is to define his/her unique personal questions. Once the attributes are defined, click Save.

To Localize the Secret Question

If you are running a localized version of the Access Manager, and wish to display the secret question in a character set specific to you locale, perform the following:

1. Add the secret question key to the Current Values list under the Secret Question attribute in the Password Reset service. For example, favorite-color.

2. Add the key to the amPasswordReset.properties file with the question that you want to displays the value of this key. For example:

   favorite-color=What is your favorite color?

3. Add the same key with the localized question to AMPasswordReset_locale.properties located in /opt/SUNWam/locale. When the user attempts to changes his or her password, the localized question is displayed.

Password Reset Lockout

The Password Reset service contains a lockout feature that will restrict users to a certain number of attempts to correctly answer their secret questions. The lockout feature is configured through the Password Reset service attributes. See the online help for a description of the service attributes. Password Reset supports two types of lockout, memory lockout and physical lockout.

Memory Lockout

This is a temporary lockout and is in effect only when the value in the Password Reset Failure Lockout Duration attribute is greater than zero and the Enable Password Reset Failure Lockout attribute is enabled. This lockout will prevent users from resetting their password through the Password Reset web application. The lockout lasts for the duration specified in Password Reset Failure Lockout Duration, or until the server is restarted. See the online help for a description of the service attributes.

Physical Lockout

This is a more permanent lockout. If the value set in the Password Reset Failure Lockout Count attribute is set to 0 and the Enable Password Reset Failure Lockout attribute is enabled, the users’ account status is changed to inactive when he or she incorrectly answers the secret questions. See the online help for a description of the service attributes.

Password Reset for End Users

The following sections describe the user experience for the Password Reset service.

Customizing Password Reset

Once the Password Reset service has been enabled and the attributes defined by the administrator, users are able to log into the Access Manager console in order to customize their secret questions.

To Customize Password Reset

1. The user logs into the Access Manager console, providing Username and Password and is successfully authenticated.

2. In the User Profile page, the user selects Password Reset Options. This displays the Available Questions Answer Screen.

3. The user is presented with the available questions that the administrator defined for the service, such as:

   • What is your pet’s name?

     • What is your favorite TV show?

     • What is your mother’s maiden name?

     • What is your favorite restaurant?

4. The user selects the secret questions, up to the maximum number of questions that the administrator defined for the realm (the maximum amount is defined the Password Reset Service). The user then provides answers to the selected questions. These questions and answers will be the basis for resetting the user’s password (see the following section). If the administrator has selected the Personal Question Enabled attribute, text fields are provided, allowing the user to enter a unique secret question and provide an answer.

5. The user clicks Save.

Resetting Forgotten Passwords

In the case where users forget their password, Access Manager uses the Password Reset web application to randomly generate new passwords and notify the user of the new password. A typical forgotten password scenario follows:

To Reset Forgotten Passwords

1. The user logs into the Password Reset web application from a URL given to them by the administrator. For example:

   http://hostname:port /ampassword (for the default realm

   or

   http://hostname: port/deploy_uri /UI/PWResetUserValidation?realm=realmname, where realmname is the name of the realm.

   ---

   Note –

   If the Password Reset service is not enabled for a parent realm but is enabled for a sub-realm, users must use the following syntax to access the service:

   http://hostname: port/deploy_uri/UI/PWResetUserValidation?realm=realmname

   ---

2. The user enters the user id.

3. The user is presented with the personal questions that were defined in the Password Reset service and select by the user during customization. If the user has not previously logged into the User Profile page and customized the personal questions, the password will not be generated.

   Once the user answers the questions correctly, the new password is generated and emailed to the user. Attempt notification is sent to the user whether the questions are answered correctly or not. Users must have their email address entered in the User Profile page in order for the new password and attempt notification to be received.

Password Policies

A password policy is a set of rules to govern how passwords are used in a given directory. Password policies are defined in the Directory Server, typically through the Directory Server console. A secure password policy minimizes the risks associated with easily-guessed passwords by enforcing the following:

• Users must change their passwords according to a schedule.

• Users must provide non-trivial passwords.

• Accounts may be locked after a number of binds with the wrong password.

Directory Server provides several ways to set password policy at any node in a tree and there are several ways to set the policy. For details refer to

Directory Server Password Policy in the Directory Server Enterprise Edition 6.0 Administration Guide.

In Directory Server, the password policy contains an attribute, passwordExp, that defines whether user passwords will expire after a given number of seconds. If the administrator sets the passwordExp attribute to on, this sets the expiration for the end-user's password as well as the Access Manager's administration accounts, such as amldap, dsame, and puser. When the Access Manager administrator's account password expires, and an end-user is logged in, the user will receive the password change screen. However, Access Manager does not specify the user to which the password change screen pertains. In this case, the screen is intended for the administrator and the end-user will be unable to change the password.

To resolve this, the administrator must log in to the Directory Server and change the amldap, dsame, and puser passwords, or change the passwordExpirationTime attribute for some time in the future.