Symantec Access Management

  • Private Community
 View Only

  • 1.  Siteminder password policy services - How the user is re-enabled

    Posted Feb 02, 2016 08:48 AM

    Hi All,

     

    I have a  a general query on how the password policy work on user re-enable situvation..

     

    For an example, user is reachred max loin fail count and the account got locked.. sm-disabled-flag is updated... Now the user is re-enabled after 1 hour based on the policy.. How is this happening?

    Is there any way to track it? 

     

    One more query, Lets suppose the user account got locked and it will be enabled after 60 mins but the user is accessing the application after 45 mins.. Password policy comes into picture as the disabled flag value is not zero... Can we track the remaining minutes or when exactly the user acccount will be activated by SM?

     

    PS Version:

     

    ProductName=CA SiteMinder Policy Server

    FullVersion=12.0.302.328

    Location=/opt/software/ca/siteminder12

     

    UD:

     

    Oracle 11g 64bit

     

    Regards,

    Sarwan



  • 2.  Re: Siteminder password policy services - How the user is re-enabled
    Best Answer

    Posted Feb 03, 2016 03:30 AM

    Hi Sarwan,


    I believe here we are talking about basic password services (BPS).


    If that is the case, the logic is pretty simple. Here is how it works:


    1) After the max failed login attempts user is disabled (disabled flag is set). 

    Additionally, the password data field (SiteMinder password blob) is updated to set "Disabled Timestamp" value.


    2) Now, when the user tries to login, if the disabled flag is set, it will check when was it disabled ( from the blob) and calculate if it is time to enable the user based on the user lockout duration configured in the password policy.


    So, as you can see the check happens every time user attempts to login and the user is enabled during the first login attempt after the lockout duration as configured in the password policy. User are not enabled automatically.



  • 3.  Re: Siteminder password policy services - How the user is re-enabled

    Posted Feb 03, 2016 03:32 AM

    For your information, here is the list of other information that is stored in the password blob:

     

     

    a) Current Login Failure Count 

     

    b) Last Login Timestamp 

     

    c) Previous Login Timestamp 

     

    d) Disabled Timestamp 

     

    e) Password History 

     

    f) Last Password Change Timestamp (from the most recent entry in the Password History) 



  • 4.  Re: Siteminder password policy services - How the user is re-enabled

    Posted Feb 03, 2016 03:51 AM

    Thanks very much for the detailed notes

     

    From my understanding password blob is encrypted one and can be read only by Siteminder. If this is a case can we notify something to user on the pending time when the account will be unlocked..



  • 5.  Re: Siteminder password policy services - How the user is re-enabled

    Posted Feb 03, 2016 03:58 AM

    Yes, the password blob is encrypted.

    However, you can use SiteMinder SDK to retrieve some information out of the blob and fortunately "Disabled Time" is one of them.


    Reference:

    https://support.ca.com/cadocs/0/CA%20SiteMinder%20r12%20SP2-ENU/Bookshelf_Files/HTML/javadoc-sm/com/netegrity/sdk/dmsapi/SmDmsUserPWState.html#getDisabledTime()


    SmDmsUserPWState.getDisabledTime() is what you will need to use.



  • 6.  Re: Siteminder password policy services - How the user is re-enabled

    Posted Feb 03, 2016 04:07 AM

    Ok. I will have a check Ujwol.



  • 7.  Re: Siteminder password policy services - How the user is re-enabled

    Posted Feb 04, 2016 07:17 PM

    Hi Sarwan

     

    As your original question is answered, could you please help mark this thread as answered ?

    If you have any further question on how to retrieve info from the password blob please create a new thread.

     

    Regards,

    Ujwol