Sun[TM] Identity Manager 8.0 Administration |
Chapter 11
PasswordSyncPasswordSync detects user password changes initiated on Windows domains and forwards those changes to Identity Manager. Identity Manager then synchronizes password changes with the other resources defined in Identity Manager.
This chapter is organized as follows:
What is PasswordSync?The PasswordSync feature keeps user password changes made on Windows Active Directory domains synchronized with other resources defined in Identity Manager. PasswordSync must be installed on each domain controller in the domains that will be synchronized with Identity Manager. PasswordSync must be installed separately from Identity Manager.
PasswordSync consists of a DLL (lhpwic.dll) that resides on each domain controller. This DLL receives password update notifications from Windows, encrypts them, and sends them over HTTPS to the PasswordSync servlet. The PasswordSync servlet is located on the application server running Identity Manager.
The PasswordSync servlet translates the notification into a format Identity Manager can understand. It then sends the password change (still encrypted) to Identity Manager using one of the following methods:
- The Direct method - The servlet communicates the password change directly to Identity Manager using native Identity Manager classes. (See Figure 11-1.)
The direct connection method is only recommended for smaller, less complex environments that only require message delivery to one system, and that do not require guaranteed message delivery. (If for some reason direct message delivery were to fail, the message would be lost. Backup delivery is not possible.)
- The JMS method - The servlet sends the password information to Identity Manager using JMS (Java Message Service). With JMS, the servlet submits password changes to the JMS Message Queue. Separately, Identity Manager’s JMS Listener Resource Adapter checks the Queue for new messages. If a password change message is found waiting on the Queue, the JMS Listener Adapter takes the message off the Queue and imports it into Identity Manager. (See Figure 11-2.)
The JMS method is recommended for more complex environments that need messages delivered to multiple systems, as well as guaranteed message delivery. (The JMS Message Queue can be made highly available. And, if message delivery should fail, the Queue will keep the change until it can be delivered to Identity Manager.)
JMS, however, must be installed and configured separately.
Figure 11-1 diagrams a direct connection. In this configuration the PasswordSync servlet sends update messages directly to Identity Manager
Figure 11-1 PasswordSync Logical Diagram (direct connection).
Figure 11-2 diagrams a JMS connection. In this configuration the PasswordSync servlet sends update messages to the JMS Message Queue. Identity Manager’s JMS Listener Resource Adapter periodically checks the Queue (indicated by the light blue arrow in the diagram) for new messages. The Queue responds by sending the messages to Identity Manager (indicated by the dark blue arrow).
Figure 11-2 PasswordSync Logical Diagram (JMS connection).
When Identity Manager receives a password change notification, it decrypts it and processes the change using a workflow task. The password is updated on all of the user’s assigned resources, and an SMTP server sends an email to the user, notifying the user of the status of the password change.
Figure 11-3 shows Identity Manager initiating a workflow and sending email to the user after receiving a password update notification.
Figure 11-3 PasswordSync triggers a workflow.
d
Before You InstallThe PasswordSync feature can be set up only on Windows 2003 and Windows 2000 domain controllers. (Support for Windows NT domain controllers has been discontinued in version 8.0 of Identity Manager.) You must install PasswordSync on each primary and backup domain controller in the domains that will be synchronized with Identity Manager. Configuring PasswordSync for HTTPS is highly recommended.
If using JMS, PasswordSync requires connectivity with a JMS server. See the JMS Listener resource adapter section in the Sun Identity Manager Resources Reference for more information about the requirements for the JMS system.
In addition, PasswordSync requires you to
These requirements are discussed in more detail in the following sections.
Install Microsoft .NET 1.1
To use PasswordSync, you must install the Microsoft .NET 1.1 Framework. This Framework is installed by default if you are using a Windows 2003 domain controller. If you are using a Windows 2000 domain controller, you can download the toolkit from the Microsoft Download Center at:
http://www.microsoft.com/downloads
Configure PasswordSync for SSL
Although sensitive data is encrypted before being sent to the Identity Manager server, Sun Microsystems recommends configuring PasswordSync to use a secure SSL connection (that is, an HTTPS connection).
For information on how to install imported SSL certificates, see this Microsoft Knowledge Base How-To article:
http://support.microsoft.com/kb/816794
Once you have installed PasswordSync, you can test that your SSL connection is properly configured by specifying an HTTPS URL in the PasswordSync configuration dialog. See Testing Your Configuration for instructions.
Uninstall Previous Versions of PasswordSync
You must remove any previously installed instances of PasswordSync before installing a later version.
- If the previously installed version of PasswordSync supports the IdmPwSync.msi installer, you can use the standard Windows Add/Remove Programs utility to remove the program.
- If the previously installed version of PasswordSync does not support the IdmPwSync.msi installer, use the InstallAnywhere uninstaller to remove the program.
Installing PasswordSync on WindowsThe following procedure describes how to install the PasswordSync configuration application.
To install PasswordSync, follow these steps:
- From the Identity Manager installation media, double-click pwsync\IdmPwSync_x86.msi if installing to a 32-bit version of Windows, or double-click pwsync\IdmPwSync_x64.msi if installing to a 64-bit version of Windows.
The Welcome window is displayed.
The installation wizard provides the following navigational buttons:
- Read the information provided on the Welcome screen, and then click Next to display the Choose Setup Type PasswordSync Configuration window.
- Click either Typical or Complete to install the full PasswordSync package, or Custom to control which parts of the package are installed.
- Click Install to install the product.
A message displays to let you know if you installed PasswordSync successfully.
- Click Finish to complete the installation process.
Be sure to select Launch Configuration Application so that you can begin configuring Password Sync. See Configuring PasswordSync for details about this process.
Table 11-1 describes the files that are installed on each domain controller.
Configuring PasswordSyncIf you run the configuration application from the installer, the application displays the configuration screens as a wizard. After you have completed the wizard, each subsequent time you run the PasswordSync configuration application, you can navigate between screens by selecting a tab.
To configure PasswordSync, follow these steps:
- Start the PasswordSync configuration application (if it is not already running).
By default, the configuration application is installed at Program Files >
Sun Identity Manager PasswordSync > Configuration.If you do not plan to use JMS, launch the configuration application from a command line. Be sure to include the -direct flag:
C:\InstallDir\Configure.exe -direct
The PasswordSync Configuration dialog is displayed (see Figure 11-4).
Figure 11-4 PasswordSync Wizard Configuration Dialog
Edit the fields as necessary.
- Server must be replaced with the fully-qualified host name or IP address where Identity Manager is installed.
- Protocol indicates whether to make secure connections to Identity Manager. If HTTP is selected, the default port is 80. If HTTPS is selected, the default port is 443.
- Path specifies the path to Identity Manager on the application server.
- URL is generated by concatenating the other fields together. The value cannot be edited within the URL field.
- Click Next to display the Proxy Server Configuration page (Figure 11-5).
Figure 11-5 PasswordSync Wizard Proxy Server Dialog
Edit the fields as necessary.
- Click Next to display the JMS Settings dialog (Figure 11-6).
Or, if you do not plan to use JMS and you launched the configuration wizard with the -direct flag, click Next to display the User dialog. Skip to step Step 5.
Figure 11-6 PasswordSync Wizard JMS Settings Dialog
Edit the fields as necessary.
- User specifies the JMS user name that places new messages on the queue.
- Password and Confirm specify the password for the JMS user.
- Connection Factory specifies the name of the JMS connection factory to be used. This factory must already exist on the JMS system.
- In most cases, Session Type should be set to LOCAL, which indicates that a local session transaction will be used. The session will be committed after each message is received. Other possible values include AUTO, CLIENT, and DUPS_OK.
- Queue Name specifies the Destination Lookup Name for the password synchronization events.
- Click Next to display the JMS Properties dialog (Figure 11-7).
Figure 11-7 PasswordSync Wizard JMS Properties Dialog
The JMS Properties dialog allows you to define the set of properties that are used to build the initial JNDI context. The following name/value pairs must be defined:
- java.naming.provider.url — The value must be set to the URL of the machine running the JNDI service.
- java.naming.factory.initial — The value must be set to the classname (including the package) of the Initial Context Factory for the JNDI Service Provider.
The Name pull-down menu contains a list of classes from the java.naming package. Select a class or type in a class name, then enter its corresponding value in the Value field.
- If you do not plan to use JMS and you launched the configuration wizard with the -direct flag, configure the User tab. Otherwise, skip this step and go to the next step.
To configure the User tab, edit the fields as necessary.
- Click Next to display the Email dialog (Figure 11-8).
Figure 11-8 PasswordSync Wizard Email Dialog
The Email dialog enables you to configure whether to send an email notification when a user’s password change does not synchronize successfully due to a communication error or other error outside of Identity Manager.
Edit the fields as necessary.
- Select Enable Email to enable this feature. Select Email End User if the user is to receive notifications. Otherwise, only the administrator will be notified.
- SMTP Server is the fully qualified name or IP address of the SMTP server to be used when sending failure notifications.
- Administrator Email Address is the email address used to send notifications.
- Sender’s Name is the “friendly name” of the sender.
- Sender’s Address is the email address of the sender.
- Message Subject specifies the subject line of all notifications
- Message Body specifies the text of the notification.
- Click Finish to save your changes.
If you run the configuration application again, a set of tabs is displayed instead of a wizard. If you wish to display the application as a wizard, type the following command from the command line:
C:\InstallDir\Configure.exe -wizard
To test your PasswordSync configuration, see Testing Your Configuration.
Debugging PasswordSync on WindowsSee the Identity Manager Tuning, Troubleshooting, and Error Messages book for information on troubleshooting PasswordSync on Windows.
Error Logs
PasswordSync writes all failures to the Windows Event Viewer. (For help using Event Viewer, see Windows Help.) The source name for error log entries is PasswordSync.
Uninstalling PasswordSync on WindowsTo uninstall the PasswordSync application, go to the Windows Control Panel and select Add or Remove Programs. Then select Sun Identity Manager PasswordSync and click Remove.
Note
PasswordSync can also be uninstalled (or reinstalled) by loading the Identity Manager installation media and clicking on the pwsync\IdmPwSync.msi icon.
You must restart your system to complete the process.
Deploying PasswordSync on the Application ServerOnce PasswordSync is installed on your Windows domain controllers, you need to take additional steps on the application server running Identity Manager.
You do not need to install the PasswordSync servlet on the application server. It is automatically installed when you installed Identity Manager.
To finish deploying PasswordSync, however, you do need to perform the following actions in Identity Manager:
Adding and Configuring a JMS Listener Adapter
If the PasswordSync servlet is using JMS to send messages to Identity Manager, you need to add Identity Manager’s JMS Listener resource adapter. The JMS Listener resource adapter periodically checks the JMS Message Queue for messages placed there by the PasswordSync servlet. If the Queue contains a new message, it sends it to Identity Manager for processing.
To add the JMS Listener resource adapter, follow these steps.
- Log on to the Identity Manager Administrator Interface ((more...) ).
- Click Resources.
- Click Configure Types in the secondary menu.
The “Configure Managed Resources” page opens.
- Verify that the checkbox in the Managed? column is selected for JMS Listener. (See Figure 11-9.)
If it is not selected, select the checkbox and click Save. Otherwise, go to the next step.
Figure 11-9 shows the “Configure Managed Resources” page. Verify that JMS Listener is selected.
Figure 11-9 The “Configure Managed Resources” page.
- Click List Resources in the secondary menu.
- Locate the Resource Type Actions drop-down menu and select New Resource.
The “New Resource” page opens.
- Select JMS Listener from the drop-down menu and click New. (See Figure 11-10.)
The “Create JMS Listener Resource Wizard” Welcome page opens. Click Next to start the configuration wizard.
Figure 11-10 shows the New Resource Wizard. To add the JMS Listener Adapter, select JMS Listener from the list.
Figure 11-10 The New Resource Wizard.
You must configure the following settings:
- Destination Type — This value will typically be set to Queue. (Topics are not usually relevant because there is one subscriber and potentially multiple publishers.)
- Initial context JNDI properties — This text box defines the set of properties that are used to build the initial JNDI context. The following name/value pairs must be defined:
- java.naming.factory.initial — The value must be set to the classname (including the package) of the Initial Context Factory for the JNDI Service Provider.
- java.naming.provider.url — The value must be set to the URI of the machine running the JNDI service.
It may be necessary to define additional properties. The list of properties and values should match those specified on the JMS settings page on the JMS server.
For example, to provide the credentials and bind method, you may need to specify the following sample properties:
- java.naming.security.principal: Bind DN (for example, cn=Directory manager)
- java.naming.security.authentication: Bind method (for example, simple)
- java.naming.security.credentials: Password
- JNDI name of Connection factory — The name of a connection factory, as defined on the JMS server.
- JNDI name of Destination — The name of a destination, as defined on the JMS server.
- User and Password — The account name and password of the administrator that requests new events from the queue.
- Reliable Messaging Support — Select LOCAL (Local Transactions). The other options are not applicable for password synchronization.
- Message Mapping —
Enter java:com.waveset.adapter.jms.PasswordSyncMessageMapper. This class transforms messages from the JMS server into a format that can be used by the Synchronize User Password workflow.Figure 11-11 The JMS Listener Resource Wizard “Resource Parameters” page
- On the “Account Attributes” wizard page, click Add Attribute.
Figure 11-12 The “Account Attributes” page of the “Create JMS Listener Resource Wizard”
- Map the following attributes, which are made available to the JMS Listener Adapter by PasswordSyncMessageMapper. Refer to Figure 11-12. Click Next when you are done.
- The “Identity Template” wizard page opens.
Note that the attributes you added in the previous step are available in the Attribute Mappings section of the Resource Wizard (Figure 11-13).
Click Next.
Figure 11-13 JMS Listener Resource Wizard Attribute Mappings
- The “Identity System Parameters” wizard page opens.
Configure the options on this page as needed.
See Sun Identity Manager Resources Reference for more information about setting up the JMS Listener resource adapter.
Implementing the Synchronize User Password Workflow
When Identity Manager receives a password change notification, it starts the “Synchronize User Password” workflow. The default “Synchronize User Password” workflow checks out the ChangeUserPassword viewer, and then checks it back in again. Next, the workflow processes all of the resources accounts (except the Windows resource that sent the initial password change notification). Finally, Identity Manager sends the user email indicating whether the password change was successful on all resources.
If you want to use the default implementation of the “Synchronize User Password” workflow, assign it as the process rule for the JMS Listener adapter instance. Process rules may be assigned when you configure the JMS Listener for synchronization (see Configuring Active Sync).
If you want to modify the workflow, copy the $WSHOME/sample/wfpwsync.xml file and make your modifications. Then, import the modified workflow into Identity Manager.
Some of the modifications you might want to make to the default workflow include:
For detailed information about using workflows, see Sun Identity Manager Workflows, Forms, and Views.
Setting Up Notifications
Identity Manager provides two email templates that can inform users whether a password change was successful across all resources. These templates are:
Both templates should be updated to provide company-specific information about what users should do if they need further assistance. For more information see Customizing Email Templates.
Configuring PasswordSync with a Sun JMS ServerIdentity Manager can use Java Message Service (JMS) to receive password change notifications from the PasswordSync servlet. In addition to guaranteed delivery, JMS can deliver messages to multiple systems.
Using a sample scenario, this section provides instructions for configuring PasswordSync with a Sun JMS server. The information is organized as follows:
Overview
This section describes the sample scenario, the Windows PasswordSync solution, and the JMS solution.
Sample Scenario
A typical (simple) use case for configuring PasswordSync with a JMS server is to enable users to change their passwords on Windows, have Identity Manager pick up the new password, and then update the user accounts with the new passwords on a Sun Directory Server.
The following environment was configured for this scenario:
- Windows Server 2003 Enterprise Edition – Active Directory
- Sun Identity Manager 6.0 2005Q4M3
- MySQL running on Suse Linux 10.0
- Tomcat 5.0.28 running on Suse Linux 10.0
- Sun Message Queue 3.6 SP3 2005Q4 running on Suse Linux 10.0
- Sun Directory Server 5.2 SP4 running on Suse Linux 10.0
- Java 1.5 (Java 5.0)
The following files were copied to the Tomcat common/lib directory to enable JMS and JNDI:
Creating and Storing Administered Objects
This section provides instructions for creating and storing the following administered objects, which are required for the sample scenario to work successfully:
Administered objects can be stored either in an LDAP directory or in a file. If using a file, all instances of the file must be the same.
Information on storing administered objects in an LDAP directory is covered first. For instructions on storing administered objects in a file, go to (more...) .
Storing Administered Objects in an LDAP Directory
PasswordSync and the JMS Listener can be configured to use administered objects stored in an LDAP directory. Figure 11-14 illustrates the process. Both the PasswordSync Servlet and the JMS Listener adapter must retrieve connection factory and destination settings from the LDAP Directory in order to send and receive messages.
Figure 11-14 Retrieving Connection Factory and Destination Objects from the LDAP directory
This section explains how to use the Message Queue command-line tool (imqobjmgr) to store administered objects in an LDAP directory.
Storing Connection Factory Objects
Open the Message Queue command-line tool (imqobjmgr) and type the commands in Code Example 11-1 to store the connection factory objects.
In Code Example 11-1 imqAddressList defines the JMS server/broker hostname (gwenig.coopsrc.com), port (7676), and the access method (jms).
Storing Destination Objects
In the Message Queue command-line tool (imqobjmgr), type the commands in Code Example 11-2 to store the destination objects.
Code Example 11-2 Storing Destination Objects
#> ./imqobjmgr add -l "cn=mytestDestination"
-j "java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory"
-j "java.naming.provider.url=ldap://gwenig.coopsrc.com:389/ou=sunmq,dc=coopsrc,dc=com"
-j "java.naming.security.principal=cn=directory manager"
-j "java.naming.security.credentials=password"
-j "java.naming.security.authentication=simple"
-t q
-o "imqDestinationName=mytestDestination"
Adding a Queue object with the following attributes:
imqDestinationDescription [Destination Description] A Description for the Destination Object imqDestinationName [Destination Name] mytestDestination
Using the following lookup name:
cn=mytestDestination
The object's read-only state: false
To the object store specified by:
java.naming.factory.initial com.sun.jndi.ldap.LdapCtxFactory
java.naming.provider.url ldap://gwenig.coopsrc.com:389/
ou=sunmq,dc=coopsrc,dc=com
java.naming.security.authentication simple
java.naming.security.credentials netscape
java.naming.security.principal cn=directory managerObject successfully added.
This concludes the section on Storing Administered Objects on an LDAP Server. Skip the next section, which describes how to store Administered Objects in a file, and go to the section on Configuring the JMS Listener Adapter for this Scenario.
Storing Administered Objects in a File
PasswordSync and the JMS Listener can be configured to use administered objects stored in a file. If you are not storing administered objects on an LDAP server ((more...) ), follow the instructions in this section.
Storing Connection Factory Objects
Open the Message Queue command-line tool (imqobjmgr) and type the commands in Code Example 11-3 to store connection factory objects and specify a lookup name.
Code Example 11-3 Storing Connection Factory Objects and Specifying Lookup Names
#> ./imqobjmgr add -l "mytestFactory" -j "java.naming.factory.initial=
com.sun.jndi.fscontext.RefFSContextFactory"-j "java.naming.provider.url=file:///home/gael/tmp" -t qf -o "imqAddressList=mq://gwenig.coopsrc.com:7676/jms"
Adding a Queue Connection Factory object with the following attributes:
imqAckOnAcknowledge [Message Service Acknowledgement of Client Acknowledgements]
...
imqSetJMSXUserID [Enable JMSXUserID Message Property] false
Using the following lookup name:
mytestFactory
The object's read-only state: false
To the object store specified by:java.naming.factory.initial com.sun.jndi.fscontext.RefFSContextFactory
java.naming.provider.url file:///home/gael/tmpObject successfully added.
To specify a destination:
#> ./imqobjmgr add -l "mytestQueue" -j "java.naming.factory.initial=com.sun.jndi.fscontext.RefFSContextFactory"
-j "java.naming.provider.url=file:///home/gael/tmp" -t q -o "imqDestinationName=myTestQueue"
Adding a Queue object with the following attributes:
imqDestinationDescription [Destination Description] A Description for the Destination Object imqDestinationName [Destination Name] myTestQueue
Using the following lookup name:
mytestQueue
The object's read-only state: false
To the object store specified by:
java.naming.factory.initial com.sun.jndi.fscontext.RefFSContextFactory java.naming.provider.url file:///home/gael/tmp
Object successfully added.
Creating the Destination on the Broker
By default, the Sun Message Queue broker allows auto-creation of the queue destination (see config.properties, where the default value for imq.autocreate.queue is true).
If the queue destination is not created automatically, you must create the destination object on the broker using the command shown in Code Example 11-4 (where myTestQueue is the destination):
Code Example 11-4 Creating a Destination Object on the Broker
name (Queue name):
#> cd /opt/sun/mq/bin
#>./imqcmd create dst -t q -n mytestQueue
Username: <admin>
Password: <admin>
Creating a destination with the following attributes:
Destination Name mytestQueue
Destination Type Queue
On the broker specified by:
-------------------------
Host Primary Port
-------------------------
localhost 7676
Successfully created the destination.
You can store administered objects in a directory or in a file:
When you use a directory, these administered objects are stored as directory entries.
Note
If the Identity Manager PasswordSync servlet and the Identity Manager server are not on the same machine, then each of them must be able to access the .bindings file. You can repeat the administered object creation twice (on each machine) or you can copy the .bindings file to the proper location on each machine.
Configuring the JMS Listener Adapter for this Scenario
Configure the JMS listener adapter on the application server. Follow the instructions in the section Adding and Configuring a JMS Listener Adapter.
Configuring Active Sync
Next, configure the JMS Listener for synchronization. Active Sync is required if you are using JMS, but it is not used for direct connections.
To configure the JMS Listener for synchronization, follow these steps:
- In the Administrator interface, click Resources in the menu.
- In the Resource List, select the JMS Listener checkbox.
- In the Resource Actions list, select Edit Synchronization Policy.
The Edit Synchronization page for the JMS Listener resource opens (Figure 11-15).
Figure 11-15 Configuring Active Sync for the JMS Listener
- Under Common Settings, locate Proxy Administrator and select pwsyncadmin. (This administrator is associated with an empty form.)
- Under Common Settings, locate Process Rule and select Synchronize User Password from the list. The default Synchronize User Password workflow takes each request that comes in from the JMS Listener adapter, checks out the ChangeUserPassword viewer, and then checks the ChangeUserPassword viewer back in.
- In the Log File Path box, specify a path to a directory where the active and archived log files should be created.
- For debugging purposes, set the Log Level to 4 to generate a verbose log.
- Click Save.
Testing Your ConfigurationYou can use the Windows PasswordSync Configuration application to debug the Windows side of your configuration.
To test your PasswordSync configuration, follow these steps:
- Start the PasswordSync configuration application, if it is not already running.
By default, the configuration application is installed at Program Files >
Sun Identity Manager PasswordSync > Configuration.- When the PasswordSync Configuration dialog displays, click the Test button.
- If using JMS, the Test Connection dialog (Figure 11-16) displays, with a message stating whether the test connection completed successfully.
Figure 11-16 Test Connection Dialog
- Click Close to close the Test Connection dialog.
- Click OK to close the PasswordSync Configuration dialog.
The JMS Listener adapter then runs in debug mode, and generates debug information in a file, similar to the one in Figure 11-17.
Figure 11-17 Debug Information File
Frequently Asked Questions about PasswordSyncCan PasswordSync be implemented without a Java Messaging Service?
Yes, but doing so eliminates the advantages of using a JMS to track password change events.
To implement PasswordSync without a JMS, launch the configuration application with the following flag:
Configure.exe -direct
When the -direct flag is specified, the configuration application displays the User tab.
If you implement PasswordSync without a JMS, you do not need to create a JMS Listener adapter. Therefore, you should omit the procedures listed in Deploying PasswordSync on the Application Server. If you want to set up notifications, you may need to alter the Change User Password workflow.
Note
If you subsequently run the configuration application without specifying the -direct flag, PasswordSync will require a JMS to be configured. Relaunch the application with the -direct flag to bypass the JMS again.
Can PasswordSync be used in conjunction with other Windows password filters that are used to enforce custom password policies?
Yes, you can use PasswordSync in conjunction with other _WINDOWS_ password filters. It must, however, be the last password filter listed in the Notification Package registry value.
You must use this Registry path:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Notification Packages (value of type REG_MULTI_SZ)
By default, the installer places the Identity Manager password intercept at the end of the list, but if you installed the custom password filter after the installation, you will be required to move lhpwic to the end of the Notification Packages list.
You can use PasswordSync in conjunction with other Identity Manager password policies. When policies are checked on the Identity Manager server side, all resource password policies must pass in order for the password synchronization to be pushed out to other resources. Consequently, you should make the Windows native password policy as restrictive as the most restrictive password policy defined in Identity Manager.
Can the PasswordSync servlet be installed on a different application server than Identity Manager?
Yes. The PasswordSync servlet requires the spml.jar and idmcommon.jar JAR files, in addition to any JAR files required by the JMS application.
Does the PasswordSync service send passwords over to the lh server in clear text?
Although we recommend running PasswordSync over SSL, all sensitive data is encrypted before being sent to the Identity Manager server.
For information, see Configure PasswordSync for SSL.
Sometimes password changes result in com.waveset.exception.ItemNotLocked?
If you enable PasswordSync, a password change (even one initiated from the user interface), will result in a password change on the resource, which causes the resource to contact Identity Manager.
If you configure the passwordSyncThreshold workflow variable correctly, Identity Manager examines the user object and decides that it has already handled the password change. However, if the user or the administrator makes another password change for the same user, at the same time, the user object could be locked.