DX NetOps

Hi All,

 We have 300 local accounts which is created in CA Spectrum ,whether do I enforce the user to change the password after N number of days .There is any option to find when the last reset was happened ?Kindly suggest .

There's no such option builtin for spectrum. I would use EEM and query it's directory as LDAP from Spectrum. If you integrate EEM with Spectrum and EEM is not available, you'll not be able to login.

You can set in EEM password policies and enforce changing of password every n days. You'll also get at last last password change for a user.

Actually, there is a better answer than this. Rather than using EEM (which is not quite deprecated but heading that way), under Spectrum you can link directly into MS AD (or LDAP). Therefore, if this is a corporate directory server, the policies that are applied corporately will automatically apply to your user accounts. As such, things like password expiry times and complexity are no longer the responsibility of your Spectrum admin but back into the corporate setup.

Details on how to do this are here:

https://docops.ca.com/ca-spectrum/10-2-3/en/administrating/oneclick-administration/oneclick-administration-pages#OneClickAdministrationPages-LDAPConfigurationPage

So is there is any solution where Spectrum is not Integrated with EEM or LDAP ?Looks like strange how local users follow security policy within the tool.

Not that I know of, in Spectrum. This kind of operations should be performed generally on the organization by using enforced policies. The easiest way to do this is by centralized solution, that is usually available as LDAP. 

There was never this sort of thing built into Spectrum at all (going back ~15 years since the beginning). This includes things like the use of cracklib (through PAM) for the enforcement of such things such as password complexity, which would be standard under a Linux distro (or the associated libraries/tools in Windows).

The question that you really have to ask is who is logging into the system? If you are doing it for a handful of users (say a bunch of network/system admins) then you are going to be dealing with about half a dozen users that are presumed to be (somewhat) trusted. However, if you are wanting to bring in Service Desk/NOC users (say 20-50 users on a rotational basis) then you are way better off linking into a LDAP setup where this responsibility is offloaded. If you are talking about even more users then I would definitely go down the LDAP route!

Thanks CatalinF and Edward !! 

Even i am using EEM integrated with AD for many setup .But i have dedicated setup where it is not integrated with EEM or LDAP .So the question raised by me how the security standards works here .

Yeah, you can use an LDAP, if available. If not, I'm always using the CA Directory that comes shipped with EEM. It's free of charge and suites the needs.

Secondly, if you need to integrate multiple LDAP domains directly in Spectrum, you can do it only using EEM. I would not say it's dead yet. I've been using it it the same way for nearly 10 years. 

I started with the assumption that a LDAP is not available in the first place, thus my EEM recommendation. I agree, the easiest way is to use an existing LDAP that is not in your responsibility. 

CatalinF, yes, I agree with you on the EEM front (for me it has been more like 20+ years), in particular with the multi-domain (one of the advantages of heading to EEM 12.5, the other being HA failover of EEM).

However, these days everyone has a MS AD setup of sorts. Therefore, not having to deploy an extra server for EEM means that you reduce the management overhead of needing one (or more if doing HA).

The other question that needs to be asked is the size of the deployment. For a small/medium deployment, requiring an EEM box is less and less these days. Also, there are only about two CA products that actually really need EEM these days - CA SOI being the main one (though I think that this is slowly changing). The main requirement for CA EEM was always for the combined "fake" SSO between Spectrum and eHealth. Since eHealth is going away, there is a move to use pure LDAP links.

Therefore, the standard recommendation we have is to use LDAP (including for answering the question from the original post about password management).

I've always installed the EEM on one of the servers in the installation, I've never used a dedicated server for this. 

I agree, it's only use was to have SSO between Spectrum and eHealth. Nowadays, I've been using it also for having multiple LDAP domains in PC or Spectrum.