Karthik, Good Day. Answering this question with respect to Privileged Identity Minder (ENTM) , a.k.a Control Minder
Points to Note :
- ENTM changes the password based on the endpoint type. For windows it uses WMI and for other types it uses the connector configuration files ,present in ACServerInstallDir/Connector Server/conf/override/sshdyn.
- The password change is something similar to expect command in in Unix. For example, when changing the password of an account on an unix endpoint, Control Minder expects "Password :" prompt to enter the password and "Retype the password :" to enter the password again to confirm. Take a look at any of the config files under the ACServerInstallDir/Connector Server/conf/override/sshdyn folder to understand this better.
Answers to the Questions:
[Q]I have a question on how password change works in PAM, my understanding is that depending on password policy, pwd will be stored in DB. In case if EMS is not available for password checkout, we can directly hit the DB and get the pwd.
[Res] Yes, the password will be stored in the database. In case of a disaster and you are unable to bring up the ENTM application, you may retrieve the password from the database. Just to do this task , there is an executable, pwextractor, bundled with CA PIM Privileged Identity Minder (ENTM) , a.k.a Control Minder.
pwextractor Utility Extract Privileged Account Passwords - CA ControlMinder - 12.8 - CA Technologies Documentation
[Q]How authentication mechanism works at back end and what all the connectivity parameters that will validate the password is valid and will let the user to login end system.
[Res]
Case 1: Account is a disconnected account.
ENTM will not validate the account existence. ENTM uses the password which is given during the creation of the account / or the password set using Manual Password Reset option to login to the endpoint. If no account exists in the endpoint, login fails.
Case 2: Account is configured not to change the password upon check-in/check-out.
In this case the password will be changed only once.
a) If the account is created using create privileged account option, ENTM will validate the password upon creation and will use the same password on the subsequent logins.
b) If the account is created using Discovery option, ENTM will create a new password for the account and will update the same on the endpoint using administrative user mentioned during the creation of the endpoint.
Case 3: Account is configured to change the password upon check-in/checkout
a) If the account is created using create privileged account option, ENTM will validate the password upon creation and will create a new password on the subsequent logins
b) If the account is created using Discovery option, ENTM will create a new password for the account and will create a new password on the subsequent logins.
Here is how the out-of-sync condition will be handled.
In all three cases, if the password of the account is changed by logging in to the endpoint directly, ENTM will not be aware of this change. This will make the password out of sync.
In Case1: This is a manual step. You need to update the new password using the Manual Password Reset Option.
In Case2: Even this is a manual step. To get the password in sync again, use Automatic Password Reset option/Manual Password Reset option. This will create a password and will update both ENTM and endpoint.
In Case3: If the account is configured to change the password at checkout- This will generate a new password and then present it to the user. So login will go through.
If the account is configured to change the password – this will fail on check out and a check-in will be executed, which changes the password and the next checkout will be success.