Table of Contents
Enable/Disable Automatic Account Management
All passwords must be handled through the PVWA interface to ensure that the
passwords on remote devices must be synchronized with the corresponding passwords
in the Password Vault. However, if a password on the remote device is changed
manually and not through the PVWA, it is no longer synchronized with its corresponding
password in the Vault, and it becomes unavailable.
Whenever this happens, it is essential for the relevant personnel to be alerted as soon as
possible so that they can identify the unsynchronized password and regain control over
the remote device.
Change Passwords
The password change processes determine how frequently passwords are changed and how the changes are initiated. Authorized users can change passwords that are stored in the Safe through the
Password Vault Web Access. These passwords can be changed manually or replaced by a new password that is randomly generated by the Central Policy Manager. The CPM generates unique and highly secure passwords using the password policy and the random password generation mechanism. Therefore, passwords that are managed by the CPM do not need to be specified manually.
- Initiating password change process automatically (before the expiration period elapses)
The CPM can initiate a password change process before the scheduled time that is specified in a platform. The HeadStartInterval parameter determines the number of days before the account’s expiration that the CPM will initiate a password change process. If, for any reason, a password cannot be changed, the policy is not violated, and there is time to resolve any potential problems.
Verify Passwords
The password verification processes determine how frequently passwords are verified and how the verification is initiated. The CPM can verify password content on remote devices to ensure that they are
synchronized with corresponding passwords in the Password Vault, and are valid and
up-to-date. This process can either be managed automatically by the CPM or manually
by an authorized user. If the password on the remote machine is not synchronized with
the password in the Vault, the CPM alerts the user and can start a reconciliation process
to synchronize the passwords.
the hours during which the verification process will take place.
configured separately.
Reconcile Passwords
The password reconciliation processes determine how frequently passwords are reconciled and how the reconciliation is initiated. Passwords in the Vault must be synchronized with corresponding passwords on remote
devices to ensure that they are constantly available. Therefore, the CPM runs a
verification process to check that passwords are synchronized. If the verification process
discovers passwords that are not synchronized with their corresponding password in the
Vault, the CPM can reset both passwords and reconcile them. This ensures that the
passwords are resynchronized automatically, without any manual intervention.
The platform contains rules that determine whether automatic reconciliation will take
place when a password is detected as unsynchronized, or whether it is launched only
through a manual operation by an end user/system admin. A reconciliation account
password that will be used to reset the unsynchronized password can be defined either in
the platform or at account level. This account can be stored in a separate Safe, where it is
only accessible to the CPM for reconciliation purposes.
During password verification, the CPM plug-ins return a list of predefined errors to the
CPM. Each platform specifies the specific errors that will launch a reconciliation process
for passwords linked to that platform. This enables each enterprise to specify its own
prompts for reconciling passwords and gives maximum flexibility to individual needs.
During password reconciliation, the unsynchronized password is replaced in the Vault
and on the remote device with a new password that is generated according to the
relevant platform. As soon as reconciliation is finished successfully, all standard
verifications and changes can be carried out as usual. Users can see details of the last
reconciliation process in the Operational Views in the Accounts List.
Define a reconciliation password at either of the following levels:
■ Platform – All accounts attached to a specific platform will use the reconciliation
account password specified in the platform.
■ Account – A reconciliation account password can be defined at account level and
will override the account specified in the platform.
My best practice: You should have created a new safe and a new reconciliation account . And keep this account separate and treat it similar to the default accounts present in the internal vault thereby not touching it. This account has automatic password management enabled for monthly rotate password outside the schedule of other accounts.
