Symantec Access Management

We are using java code for change password functionality. Now we need to to implement functionality to check last six passwords in the password history while changing the password.

Is it possible to achieve this using CA Siteminder or Siteminder APS without changing the existing code? Please let me know if any solution available.

Hi Madhu,

Both Basic Password Services and Advanced Password Services supports configuring Password Reuse features:

• Reuse Counter
• Reuse Timer

For BPS, Check following screenshot :

For APS :

Reference : Password Reuse

Password Reuse

The password reuse policy determines when and whether previously used passwords may be reused by the same user. These fields allow an administrator to dictate the minimum number of passwords a user may use in a password cycle. If both values are set, APS uses the higher of the two. In other words, if the settings are a count of 12 and a delay of 365 days, the user may not reuse passwords used in the last year. After a year, if only six passwords have been used, another six would have to be used before the user can go back to the first password.

Values are checked both forwards and backwards, and are not case-sensitive. To turn password reuse checking off, set both values to zero or do not put the keywords into the file (comment them out).

APS will always keep the larger of the Count or one year, regardless of these settings. This is so that these settings can be turned on later without repercussions.

There is an internal restriction on the length of the password history. APS will keep a maximum of only 24K of information (dates and values, encrypted). Thus, programmatic password changers (that might be used for load/volume testing) might be able to re-use a password before these restrictions are satisfied. Only an automated password changer can change a password frequently enough. The password history has duplicate compression, so changing it and changing it back programmatically will not overly enlarge the history.

APS cannot limit users to changing their password once per day. However, the purpose of such a limitation is to prevent users from setting a new password, then setting it back immediately. To accomplish the same purpose, set Reuse Delay to 1. The user can then change their password as many times as they want, but will not be able to set it back for 1 day. See page 67 for a further discussion of this feature.

Reuse Count

Range: 0-500

Default: 0

Recommended: 12

Complexity Level: Intermediate

This controls how many passwords must be used before they can be reused.

Reuse Count=12 Reuse Count={@Customers} 500 

Not supported on Windows NT Domain User Directories.

Reuse Delay

Range: 0-3650

Default: 0

Recommended: 365

Complexity Level: Intermediate

Controls how much time must elapse before a password can be reused.

Note that there is no need for a setting limiting how often a user may change their password. If this setting is set to one, then the user may change their password as many times as they want, but won't be able to reuse a password for 24 hours.

Reuse Delay=1 Reuse Delay={@Employees} 365 

Not supported on Windows NT Domain User Directories.

Let me know if you have any more questions.

Cheers,

Ujwol Shrestha

Hi Ujwol,

Thanks for prompt response.

After I enable the above solution in APS.cfg file, how the APS will be triggered.

Please note that we are not using any forms provided by CA (CGI programs) to reset the password. We are using a simple html form.

Is it possible to call the APS from the form? or do we need to call it from the agent?

How the APS knows that we changing the password.

Let me know if you need any additional details.

Thanks and Regards,

MADHU

Hi Madhu,

To enable APS it is not sufficient to just modify the APS.cfg file.

I would recommend you go through our Administration guide in detail on how to configure APS.

In summary,

1. You will need to enable APS on Policy Server

2. Import APS Schema on the User Store,

3. Initialize all users by running APSExpire

4. Enable APS on Web Agent side ( Create virtual directory for SmCPW.exe , Forgot.exe etc )

Once you have completed all APS configuration, you will then need to configure your password policy in APS.cfg.

As far as calling the APS is concerned, custom forms can be written for password changes. They can be written in any language that can display a form. The form must POST to the SmCPW program (SmCPW.EXE on Windows) and may pass any or all command line arguments to it. If command line arguments are passed, the TARGET=<targetURL> should be passed, so that SmCPW knows where to send the user when the process is complete.

Alternatively, you can also invoke SDK API to invoke change password :

SmDmsUser.changePassword()

Reference : CA SiteMinder SDK r12.5

I would recommend you to first evaluate whether you really need APS (Advance Password Service ) or can also complete your use cases with Basic Password Service by going through the following link which list out the differences between them

SiteMinder (Basic) Password Services & Advanced Password Services

Your current use case can be fulfilled by using just the BPS.

Regards,

Ujwol Shrestha

Hi Ujwol,

I tried setting up the APS in my environment and while tried accessing the URL :http://xyz.mydomain.com/aps/fps/Forgot.exe?Target=http://xyx.mydomain.com/fp it displays the following error message- "Unable to initialize agent" .

If I hit http://xyz.mydomain.com/aps/apsadmin/apsadmin.exe then it displays below error.

SM-APS-15003 = APS Administration Service must run under a Web Agent."

Is there anything I'm missing out?

Hi Venga,

To better manage the questions, I have created a new thread to discuss your question pertaining to APS initialization errors here : https://communities.ca.com/message/241811397#241811397

Let's discuss it over there and let this thread deal with the original question.

Cheers,

Ujwol