Symantec Privileged Identity Manager - 14.0

14.0 12.9.02 12.9.01 12.8.01 12.7
English

Service Account Passwords

Usually, you set the password for  service accounts when you install the Enterprise Management Server. However, you might need to change the password for these accounts after installation. For example, you might change the passwords each year to comply with the security or password policies of your organization.
cminderpim14
Usually, you set the password for 
Privileged Identity Manager
 service accounts when you install the Enterprise Management Server. However, you might need to change the password for these accounts after installation. For example, you might change the passwords each year to comply with the security or password policies of your organization.
If a service account interacts with two 
Privileged Identity Manager
 components, change the password for the account on each component. If you change the password on only one component, the service account cannot log in to the other component.
 
 
Change the RDBMS_service_user Password
The RDBMS_service_user account authenticates communication between the Enterprise Management Server and the RDBMS. This account is not named RDBMS_service_user. You create this account when you prepare the database for the Enterprise Management Server. While you install the Enterprise Management Server, and you provide the account name and password with other database information.
You might regularly change the RDBMS_service_user password to comply with the security and password policies of your organization. You change the password on both the Enterprise Management Server and the RDBMS.
Before you change the password for this account, note the following points:
  • The default password for this account is the password that you specified when you created the user.
  • The password has the following limitations:
    • Must be 1-50 characters long
    • Must not contain high ASCII characters
    • Must not contain double quotes ( " )
    • Must adhere to RDBMS password rules
  • The password is stored in the following XML file, where 
    JBoss_home
     is the directory in which you installed JBoss:
    JBoss_home
    /server/default/conf/login-config.xml
 
Follow these steps:
 
  1. Change the password using your database tools.
    For information about how to change the password, see the Microsoft SQL or Oracle documentation.
  2. Change the password in the Enterprise Management Server:
    1. Stop JBoss Application Server.
    4. Restart JBoss Application Server.
    5. Verify that you can log in to 
      Privileged Identity Manager
       Enterprise Console.
      JBoss is successfully started and the password is changed in the Enterprise Management Server.
    The RDBMS_service_user password is changed in all locations.
 
Example: Change the Password in the login-config.xml File
 
This snippet of the login-config.xml file shows you one instance of the changed RDMBS_service_user password. The user is named caidb01. The password has been encrypted and is }>8:Jt^+%INK&i^v:
<application-policy name="imobjectstoredb">
    <authentication>    
        <login-module code="com.netegrity.jboss.datasource.PasswordEncryptedLogin" flag="required"> 
            <module-option name="userName">caidb01</module-option>  
            <module-option name="password">{AES}:}>8:Jt^+%INK&i^v==</module-option> 
            <module-option name="managedConnectionFactoryName">jboss.jca:name=jdbc/objectstore,service=NoTxCM</module-option>   
        </login-module> 
    </authentication>   
</application-policy>
Change the reportserver Password 
The Enterprise Management Server and the DMS use the 
reportserver
 account to connect to the Message Queue.
The Enterprise Management Server uses the 
reportserver
 account to perform the following actions:
  • Send reporting data to CA User Activity Reporting Module
  • Send UNAB remote migration commands
  • Provide privileged account passwords to the SAM Agent on SAM endpoints
  • Receive reporting data from 
    Privileged Identity Manager
     endpoints
The DMS uses the 
reportserver
 account to perform the following actions:
  • Send UNAB policies to UNAB endpoints
  • Receive policy deployment status information that is sent from UNAB endpoints
You might regularly change the 
reportserver
 password to comply with the security and password policies of your organization. You change the password on the Distribution Server, Enterprise Management Server, and DMS.
Before you change the 
reportserver
 password, note the following points:
  • The default password for this account is the communication password that you specify while installing the Enterprise Management Server.
  • The password has the following limitations:
    • Must be 1-240 characters long
    • Must not contain high ASCII characters
    • Must not contain double quotes ( " )
  • The password is stored in the Message Queue and the following XML files. 
    JBoss_home
     is the directory in which you installed JBoss.
    •  
      JBoss_home
      /server/default/deploy/properties-service.xml
    •  
      JBoss_home
      /server/default/conf/login-config.xml
If you have more than one Distribution Server in your enterprise, do the following steps:
  1. Change the password on the Distribution Server, which is installed on the Enterprise Management Server.
  2. Change the password on the other Distribution Servers in your enterprise.
 
Follow these steps:
 
  1. On the Distribution Server, set the Message Queue password for the reportserver user.
    You have changed the 
    reportserver
     password on the Distribution Server.
  2. Change the password on the Enterprise Management Server, as follows:
    1. Stop JBoss Application Server.
    5. Restart JBoss Application Server.
    6. Verify that you can log in to 
      Privileged Identity Manager
       Enterprise Console.
      JBoss is successfully started and the password on the Enterprise Management Server is changed.
  3.  Use sechkey to change the reportserver password on the DMS.
    The 
    reportserver
     password is changed in all locations.
 
Example: Change the Password in the properties-service.xml File
 
This snippet of the properties-service.xml file shows you the changed 
reportserver
 password. The password has been encrypted and is }>8:Jt^+%INK&i^v:
<attribute name="Properties">      
    <!-- ActiveMQ serialization. Any custom objects that needs to be sent over Queues need to be included here -->  
    org.apache.activemq.SERIALIZABLE_PACKAGES=*     
    SamMDB.mdb-user=reportserver    
    <!-- encoded ActiveMQ password -->  
    SamMDB.mdb-passwd={AES}:}>8:Jt^+%INK&i^v==  
</attribute>
 
Example: Change the Password in the login-config.xml File
 
This snippet of the login-config.xml file shows you the changed 
reportserver
 password. The password has been encrypted and is }>8:Jt^+%INK&i^v:
<application-policy name="JmsXARealm">
    <authentication>    
        <login-module code="org.jboss.resource.security.ConfiguredIdentityLoginModule" flag="required"> 
            <module-option name="principal">guest</module-option>   
            <module-option name="userName">reportserver</module-option> 
            <module-option name="password">{AES}:}>8:Jt^+%INK&i^v==</module-option> 
            <module-option name="managedConnectionFactoryName">jboss.jca:service=TxCM,name=JmsXA</module-option>    
        </login-module> 
    </authentication>   
</application-policy>
 
Example: Use sechkey to Change the Message Queue Password on the DMS
 
This command changes the Message Queue password on the DMS. The password is "secret", and must be in clear text and enclosed in double quotes:
sechkey -t -server -pwd "secret"
Change the +reportagent Password
The 
+reportagent 
account lets an endpoint log in to the Message Queue. On each endpoint, the UNAB Agent, SAM Agent, and Report Agent use this account to communicate with the Message Queue.
You can regularly change the 
+reportagent
 password to comply with the security and password policies of your organization. Change the password on both the Message Queue and the endpoints.
Before you change the 
+reportagent
 password, note the following points:
  • The default password is the communication password that you specify when you install the Enterprise Management Server.
  • The password has the following limitations:
    • Must be 1-240 characters long
    • Must not contain high ASCII characters
    • Must not contain double quotes ( " )
  • The password is stored in the Message Queue and the 
    Privileged Identity Manager
     database on the endpoint (
    seosdb
    ).
 If you have more than one Distribution Server in your enterprise, do the following steps:
  1. Change the password on the Distribution Server, which is installed on the Enterprise Management Server
  2. Change the password on the other Distribution Servers in your enterprise
 
Follow these steps:
 
  1. The 
    +reportagent
     password is changed on the Message Queue.
  2.  Use sechkey to change the password that 
    ReportAgent 
    uses to connect to the Message Queue on the endpoints.
    The changed 
    +reportagent
     password is propagated to the endpoints.
    You can also use selang to change the 
    +reportagent
    password on the endpoints. You cannot use a policy to propagate the selang command because you cannot set user passwords using advanced policy management.
 
Example: Use sechkey to Change the Message Queue Password on the Endpoints
 
This command propagates the Message Queue password for the 
+reportagent
 user to the endpoints that are subscribed to the Distribution Server. The password is "secret", and must be in clear text and enclosed in double quotes:
sechkey -t -pwd "secret"
Change the +policyfetcher Password
The 
+policyfetcher
 account executes the 
policyfetcher
 daemon or service, which looks for deployment tasks on the DH. It also applies policy updates to the local 
Privileged Identity Manager
 database (
seosdb
), and sends a heartbeat to the DH at regular intervals. 
Privileged Identity Manager
 uses a SPECIALPGM rule to define 
+policyfetcher
 as a system user.
 +policyfetcher
 runs as the NT Authority\System user in Windows.
You can regularly change the 
+policyfetcher
 password to comply with the security and password policies of your organization.
Before you change the 
+policyfetcher
 password, note the following points:
  • The 
    +policyfetcher
     account has no default password. No password is set for 
    +policyfetcher
     during the installation of 
    Privileged Identity Manager
     
  • The password has the following limitations:
    • Must be 1-240 characters long
    • Must not contain high ASCII characters
    • Must not contain double quotes ( " )
  • The password is stored in 
    seosdb
    , the local 
    Privileged Identity Manager
     database.
 To prevent this user from logging in to the 
Privileged Identity Manager
 database, do not set a password for this user.
To change the 
+policyfetcher
 password, use selang to change the password.
 
Example: Change the +policyfetcher Password
 
This command changes the password for the 
+policyfetcher 
user. The password is "secret", and must be in clear text and enclosed in double quotes:
AC> cu +policyfetcher password("secret") grace- nonative
(localhost)
Successfully updated USER +policyfetcher
Change the +devcalc Password
The 
+devcalc
 account executes the policy deviation calculation. The calculation determines the difference between the expected access rules that are deployed on an endpoint (as a result of policy deployment) and the actual rules that have been successfully deployed on the same endpoint. A SPECIALPGM rule is used to define 
+devcalc
 as a system user. 
+devcalc
 runs as the NT Authority\System user in Windows.
You can regularly change the 
+devcalc 
password to comply the security and password policies of your organization.
Before you change the 
+devcalc
 password, note the following points:
  • The 
    +devcalc
     account has no default password. No password is set for 
    +devcalc
     while installing 
    Privileged Identity Manager
    .
  • The password has the following limitations:
    • Must be 1-240 characters long
    • Must not contain high ASCII characters
    • Must not contain double quotes ( " )
  • The password is stored in 
    seosdb
    , the local 
    Privileged Identity Manager
     database.
 To prevent this user from logging in to the 
Privileged Identity Manager
 database, do not set a password for this user.
To change the 
+devcalc
 password, use selang to change the password.
 
Example: Change the +devcalc Password
 
This command changes the password for the 
+devcalc
 user. The password is "secret", and must be in clear text and enclosed in double quotes:
AC> cu +devcalc password("secret") grace- nonative
(localhost)
Successfully updated USER +devcalc
Change the ac_entm_pers Password
The ac_entm_pers account authenticates communication between the DMS and the Enterprise Management Server.
You can regularly change the ac_entm_pers password to comply with the security and password policies of your organization. You change the password on both the RDBMS and the DMS.
Before you change the ac_entm_pers password, consider the following points:
  • When you install 
    Privileged Identity Manager
    , the default password is randomly generated.
  • The password has the following limitations:
    • Must be 1-48 characters long
    • Must not contain double quotes ( " )
    • Must not contain high ASCII characters
  • The password is stored in the RDBMS and the DMS.
 
Follow these steps:
 
  2. In 
    Privileged Identity Manager
     Enterprise Console, configure the connection to the DMS and specify the new password.
    The ac_entm_pers password is changed in all locations.
 
Example: Use selang to Change the ac_entm_pers Password
 
This command connects to the DMS and changes the password for the ac_entm_pers user. The password is "secret", and must be in clear text and enclosed in double quotes:
AC> eu ac_entm_pers admin auditor nonative password(secret) logical nonative grace-
Change the ADS_LDAP_bind_user Password
The ADS_LDAP_bind_user account lets the Enterprise Management Server perform LDAP queries against Active Directory. This account is not named ADS_LDAP_bind_user. The name of this account is the User DN that you specify in the Active Directory Settings wizard page while installing the Enterprise Management Server.
You can regularly change the ADS_LDAP_bind_user password to comply with the security and password policies of your organization. You change the password on both Active Directory and the RDBMS.
Before you change the ADS_LDAP_bind_user password, note the following points:
  • You specify the default password in the Active Directory Settings wizard page while installing the Enterprise Management Server.
  • The password has the following limitations:
    • Must be 7-120 characters long
    • Must not contain high ASCII characters
    • Must not contain a colon ( : )
    • Must adhere to Active Directory password rules
  • The password is stored in Active Directory and the RDBMS
 
Follow these steps:
 
  1. Change the password in Active Directory, using Active Directory tools.
  2.  Change the user directory password in the CA IdentityMinder Management Console.
    The ADS_LDAP_bind_user password is changed in all locations.