P-Synch by M-Tech Information Technology, Inc. ID
Transcription
P-Synch by M-Tech Information Technology, Inc. ID
P-Synch by M-Tech Information Technology, Inc. ID-Synch by M-Tech Information Technology, Inc. Product Category: Password Management/Provisioning Validation Date: TBD Product Abstract M-Tech software streamlines identity management: the administration of user authentication and access privileges across an enterprise. M-Tech's identity management platform consists of two tightly integrated products: P-Synch and ID-Synch. P-Synch is a total password management solution that can synchronize user passwords across all systems and platforms; enforce enterprise-wide password strength policies; allow support staff to reset passwords on every system, with no special administrative rights, and allow authenticated users to reset their own forgotten passwords. P-Synch reduces support costs while improving network security. ID-Synch is an account management tool that simplifies the routine tasks of multi-system directory management. It can be used to create, update and delete login IDs based on input from an authorization workflow engine, central user administration console or rules-based provisioning system. P-Synch’s password management functionality includes: Secure • • • • management of passwords using any web browser: End-user password synchronization Help desk password reset User password self-reset Enterprise password policy enforcement Extended native password management tools: • Available for Windows 2000, .Net, NT, LDAP, RACF, ACF2, Top Secret, and Unix • Enforces enterprise password policy natively • Automatically propagates new passwords to other systems RSA SecurID PIN management features: • Set SecurID/ACE accounts to "New PIN" mode • Initialize or change the PIN number for the tokens • Temporarily enable or disable the security tokens • Enable and disable emergency access mode for the SecurID/ACE accounts P-Synch's four most popular modes of operation: • Transparent synchronization: o native user password changes on Win 2000, NT, LDAP, RACF and Unix are automatically extended to other systems. • Web synchronization: o users synchronize their passwords on all systems from a web browser. • User self-service password reset: o users are authenticated by some means other than passwords, and are able to reset their own passwords. • Help desk reset: o support staff authenticate callers and reset their passwords from a web browser. 20 December 05 M-Tech P-Synch / ID-Synch Integration Note Page 1 M-Tech Information Technology, Inc. Integration Summary P-Synch Integration The integration between P-Synch and the Remedy AR System automatically updates existing call records (also called “requests or “entries”) when P-Synch is used by a help desk operator and automatically creates call records from self-service events. This eliminates redundant data entry, streamlines the password problem resolution process, and provides management with effective call and problem statistics. Many events that occur when using P-Synch can be configured to create a new call record or modify an existing one. Using this option, help desk personnel can track events that have occurred in P-Synch and take appropriate action. If the appropriate options are configured, the help desk user can correct a problem within P-Synch and have a specific call record updated or closed automatically. Along with this functionality, information from specific call records can be retrieved and sent, via e-mail, to a specified list of recipients, thus providing immediate notification. Figure 1: Integration Between P-Synch/ID-Synch and the Remedy AR System Events in P-Synch occur when a user performs an action. This may be, for example, a failed password change or a successful password reset. P-Synch supports 105 possible actions. Whenever an event takes place, the P-Synch server follows these steps: 1. Check if an interface program has been associated with this event; if so, start it. 2. The interface program reads a log describing the actions taken by the user. 3. The interface program reads a script file. 4. The section in the script file describing the particular event is found. 5. The actions for that section are performed. This includes the ability to search for data in the help desk system, add data to the help desk system, iterate through the information from the event log, send e-mail messages, etc. 20 December 05 M-Tech P-Synch / ID-Synch Integration Note Page 2 M-Tech Information Technology, Inc. ID-Synch Integration ID-Synch Interface ID-Synch supplies agents that integrate with the various versions of AR System. These agents allow administrators to perform various operations such as creating or deleting AR System user accounts, listing and/or updating accounts and user attributes, and performing password verifications and resets. ID-Synch will automate and simplify the tasks of provisioning new users and managing existing users across several different target systems, including Remedy AR System. Core ID-Synch features include: • Automatic Propagation of Changes from Authoritative to Target Systems • Self-service Authorization workflow for Change Requests • Consolidated and Delegated User Administration • Consolidated Reporting and Auditing Additional ID-Synch features include: • Group Membership Management • Fulfillment Engine • Administration for Physical Devices • Access Control System • Directory Cleanup • Automatic Account Discovery • Self-service Login ID Reconciliation SOAP Web Service ID-Synch also supplies a SOAP (Simple Object Access Protocol) web service that provides a method for SOAP clients to access a number of P-Synch/ID-Synch functionalities. The ID-Synch web service now supports numerous methods, ranging from password management to account management functionalities. For example, it is possible to create, update and delete login IDs using the ID-Synch web service. ID-Synch integrates with the AR System Server by using SOAP as shown in Figure 1. The ID-Synch SOAP service can be used by any SOAP client toolkit conforming to the SOAP standards. The ID-Synch web service and its method of access are described in a supplied WSDL (Web Service Description Language) file. The AR Server has a built-in web services integration that can handle Soap Requests and Responses based on a supplied WSDL file. The data being exchanged between ID-Synch and the AR System would need to be mapped between the AR System’s forms and the ID-Synch web service as described in the Developing AR System Applications: Advanced guide. When the ID-Synch web service receives a SOAP request from the AR System, it: 1. parses the SOAP request 2. performs the operations requested with the data supplied, and 3. sends a response to the AR System indicating the results of the operations The AR System then parses the response and stores or displays the information. 20 December 05 M-Tech P-Synch / ID-Synch Integration Note Page 3 M-Tech Information Technology, Inc. Support Information The integration described in this note is supported by M-Tech Information Technology, Inc. M-Tech Information Technology, Inc develops, markets, and supports the installation of P-Synch / ID-Synch and its integration with BMC Software products. System Requirements The following M-Tech software and BMC Software application must be installed and operating correctly prior to the integration: • Remedy AR System 3.x, 4.x, 5.x, or 6.x (AR System 5.x or later required for Web Services) • M-Tech P-Synch 6.x / ID-Synch 4.x Server Requirements • Microsoft Windows NT 4.0 (with Service Pack 4 or later), Windows 2000. • 20 MB of available disk space, plus additional space for each managed client’s data. • 32 MB of RAM. Client Requirements • Windows 2000 or 2003. • 10GB SCSI Disk. • 256 MB of RAM. Detailed AR System requirements and supported platforms can be found at http://supportweb.remedy.com/Rem/IssuesAndSolutions/CompatibilityMatrix/index.jsp. Contact Information M-Tech Information Technology, Inc. #500, 1401 - 1st Street S.E. Calgary, Alberta, Canada T2G 2J3 Phone: 403-233-0740 Fax: 403-233-0725 Email: sales@mtechIT.com Website: www.mtechIT.com 20 December 05 BMC Software, Inc. 1030 West Maude Avenue Sunnyvale, CA 94085-2810 Phone: 408-571-7000 Fax: 408-571-7001 Email: info@remedy.com Website: www.remedy.com M-Tech P-Synch / ID-Synch Integration Note Page 4 M-Tech Information Technology, Inc. Integration Details Pre-installation Steps Prior to integrating P-Synch or ID-Synch and AR System, you must perform the following steps: 1. Ensure that you install the Remedy AR System client for the AR System that you will be targeting. Also test the connectivity between the client and the AR System. 2. Create an account on the Remedy AR System that is allowed to reset user passwords. 3. Edit the system PATH on the P-Synch or ID-Synch server to include the AR System installation directory (default is C:\Program Files\AR System\User for AR System 6.x and C:\Program Files\AR System for previous versions). 4. Reboot the computer to ensure that the system PATH is updated. P-Synch Integration Once the AR System User module and P-Synch are installed, you can integrate them. The steps to perform this are as follows: • Determine which interface program you will be using. AR System 3.x, 4.x, 5.x, and 6.x require “pxrem3.exe”, “pxrem4.exe”, “pxrem5.exe”, and “pxrem6.exe” as their interface programs, respectively. • Set the P-Synch system variable(s) for the event(s) to be tracked to the interface program chosen in the previous step. This is performed through P-Synch’s help desk module (nph-psa.exe). After logging in, select the “Configure P-Synch” option. Select the “Web Modules” option from the screen that follows, and then “Help Desk” to view the options shown in the screen shot shown below. For desired system variables that execute an exit trap program, click the “On” radio button and enter the interface program name in the “Value” box. Click “Update” to enable the selected system variables. For more information on setting system variables see the P-Synch Installation and Configuration Guide. 20 December 05 M-Tech P-Synch / ID-Synch Integration Note Page 5 M-Tech Information Technology, Inc. • Add an operation section for each of the selected system variables to the configuration file. For more information as to how to complete the configuration file see see the Help Desk Interface section in the P-Synch Installation and Configuration Guide. Sample operations are also provided in the sample scenarios section of this document. AR System Schema Information When writing the configuration file, there are utilities called schmrem5.exe (AR System 5.x) and schmrem6.exe (AR System 6.x) that list the required and optional fields for each of the forms on the AR System. These utilities create a file containing the schema information for each field. The field names as well as the information such as the data types, limits, and values for enumeration lists are provided. This utility is helpful when writing the configuration file (such as pxrem6.cfg) since these fields may be used directly for use with the events. It is also used by the automated P-Synch event action configuration interface. • For example, schmrem6.exe is run with the following arguments: schmrem6.exe -t <targetID> -l <filename> • Sample output of the schema information: "Status" "Status" = { "default value" = "0" "requirement" = "required" "type" = "enumeration" "enum" "" = { "0" = "New" "1" = "Assigned" "2" = "Fixed" "3" = "Rejected" "4" = "Closed" } } For additional information regarding the operation of schmrem5.exe or schrem6.exe, see the PSynch Installation and Configuration Guide. Event Action Configuration Interface The configuration file may also be auto-generated for AR System version 5 or 6 via the event action configuration interface. To do so, perform the following steps: • Select the "Configure P-Synch" option, then "Event Actions". • From the Event configuration page, click the "Target systems" button. Select "Remedy ARS 5.x" or "Remedy ARS 6.x" and the AR System target. Click Add. • Psupdate must now be run in order to generate the schema list file (schmrem5.exe or schmrem6.exe generates this file). • Once psupdate is complete, go back to the Event configuration page, select an event that you wish to configure and click the Add button. • Click "Configure" next to "Remedy ARS 5.x" or "Remedy ARS 6.x". On the next page, choose a custom AR System form that will be used for the event. • The next page is where you choose which fields will be used for the configuration script, such as pxrem6.cfg, as well as their values. After clicking the Update button, the fields and their values will be written to the pxrem6.cfg file, which can be found in the <instance>\bin directory. It is now ready to be used with the specified event. For more information on configuring event actions, see the Configuring E-mail and Other Event Actions in the P-Synch Installation and Configuration Guide. 20 December 05 M-Tech P-Synch / ID-Synch Integration Note Page 6 M-Tech Information Technology, Inc. ID-Synch Integration ID-Synch Interface One of the operations that may be performed by ID-Synch is to be able to create a new AR System user account. To do so, perform the following steps. Enter your ID-Synch administrator login ID. Enter your ID-Synch administrator password. 20 December 05 M-Tech P-Synch / ID-Synch Integration Note Page 7 M-Tech Information Technology, Inc. Create a new Remedy AR System target on the ID-Synch server. To do so, click the “Home” button, and then select the “System configuration” link, followed by “Targets”, and then “Target systems”. The target address may simply be specified as the server name of the Remedy AR System. See the ID-Synch Installation and Configuration Guide for more options regarding the specification of the target address. Ensure that the “Login IDs are case-sensitive” option is checked. 20 December 05 M-Tech P-Synch / ID-Synch Integration Note Page 8 M-Tech Information Technology, Inc. Set the administrative ID and password for the Remedy AR System administrator, which was created in the pre-installation steps. Run the automatic update process to retrieve the list of Remedy AR System users. 20 December 05 M-Tech P-Synch / ID-Synch Integration Note Page 9 M-Tech Information Technology, Inc. Optionally, create authorizers / locations / object types / templates / roles for provisioning new Remedy AR System users. 20 December 05 M-Tech P-Synch / ID-Synch Integration Note Page 10 M-Tech Information Technology, Inc. Create a new Remedy AR System user by following the steps outlined for a new user profile. 20 December 05 M-Tech P-Synch / ID-Synch Integration Note Page 11 M-Tech Information Technology, Inc. Existing user profiles may also be viewed and modified. SOAP Web Service Once the AR System User module and ID-Synch are installed, you can integrate them. The steps to perform this are included in the SYNCHAPI documentation, but a summary of the steps is as follows: The steps to integrate ID-Synch and the AR System are included in the ID-Synch Remote API documentation, but a summary of the steps is as follows: • Set up an administrator on the ID-Synch server; for example: psadmin. This user will be used to login to the ID-Synch web service. • Obtain the WSDL file supplied with ID-Synch and update the generic URL with the real URL to the installed ID-Synch web service. • Create forms and filters on the AR System to consume the ID-Synch web service. To do so, follow the AR System’s documentation on consuming web services. 20 December 05 M-Tech P-Synch / ID-Synch Integration Note Page 12 M-Tech Information Technology, Inc. Example Logon Screens ID-Synch Self-Service Interface Enter your Remedy AR System login ID. Enter your Remedy AR System password. 20 December 05 M-Tech P-Synch / ID-Synch Integration Note Page 13 M-Tech Information Technology, Inc. Use the self-service interface to reset and manage your Remedy AR System account and ID-Synch profile. P-Synch Self-Service Interface Use the self-service interface to reset and manage your Remedy AR System account and P-Synch profile. 20 December 05 M-Tech P-Synch / ID-Synch Integration Note Page 14 M-Tech Information Technology, Inc. Sample Scenario P-Synch Integration A company has installed P-Synch and the AR System and has set up the configuration file to perform various entry creations and updates. Below are extractions from sample configuration files showing the event configurations. Only the "operations" part of the script file is shown. Any "global definitions" and "functions" would need to be added to the file above these "operations". See the Help Desk Interface section in the P-Synch Installation and Configuration Guide for more information. The following are two sample scenarios describing how P-Synch integrates with the AR System. Sample Scenario #1 The configuration file is set up to create a new entry when a FRONTEND_IDENTIFY_LOCKOUT event occurs. It is also set up to update a ticket to a closed status when an ADMIN_ENABLE_USER event occurs. Note that all fields that are specified in the operations must previously exist for the AR System form and are able to be set with the specified values. For this sample, you will also need to expose the ticket entry field in the P-Synch Help Desk Module in order for help desk users to be able to enter the appropriate ticket number that they are referencing to for the ADMIN_ENABLE_USER operation. To do so, you will first need to copy the <instance>\design\examples\cgilogin.m4 file to the <instance>\design\custom directory. Then, you must copy the A_LOGIN section from <instance>\design\src\common\cgilogin.m4 to the custom cgilogin.m4 file. Uncomment the entries referring to the ticket number. The next step will be to regenerate the P-Synch GUI using the make commands; for example: “make en-us”, then “make install en-us”. For more information regarding the make commands, consult the Customizing the User Interface section of the P-Synch Installation and Configuration Guide. Once this has been completed, there will be a new entry field on the Help desk login page (nph-psa.exe) for help desk users to be able to enter in the ticket number. This value is stored in the %TICKET% variable that will be used in the AR System configuration script (for example: pxrem6.cfg). operation(FRONTEND_IDENTIFY_LOCKOUT) { append good bad { "Assigned To" = "%USERID%" "Name" = "%USERNAME%" "Short Description" = "%USERID% locked out of P-Synch" "Long Description" = "%USERID% (%USERNAME%) locked themselves out of their P-Synch account" "P-Synch User" = "%USERID%" "Status" = "0" "Priority" = "1" "Case Type" = "1" "Source" = "2" "Summary" = "Lock out" "Category" = "Security/Admin" "Type" = "Other" "Item" = "Password Reset" "Submitter" = "P-SynchAdmin" } [good] success [bad] failure "Couldn’t create call record for FRONTEND_IDENTIFY_LOCKOUT" } 20 December 05 M-Tech P-Synch / ID-Synch Integration Note Page 15 M-Tech Information Technology, Inc. operation(ADMIN_ENABLE_USER) { search "Request ID" "%TICKET%" good bad { } [good] assign next bad { "Status" = "4" "Resolved Description" = "Enabled the account for %USERID% by P-Synch administrator %ADMINID%" } success [bad] failure "Couldn’t update call record for ADMIN_ENABLE_USER" } The results of this configuration file would be as follows: An employee named Joe decides he would like to change his password. Unfortunately, when he enters his old password the Caps Lock is on. After attempting to validate himself three consecutive times he gets locked out of P-Synch. This is a FRONTEND_IDENTIFY_LOCKOUT event. A new entry in the AR System is created with the specified type, priority, login name, etc. All of these are fields within the company’s custom AR System form. Joe then calls the help desk. Jane answers his call. She logs in to P-Synch as a help desk administrator and enters the request ID of the previously created entry. She logs into P-Synch and resets his password to a standard value. She then re-enables his profile id so that he is allowed to once again log in. This is an ADMIN_ENABLE_USER event. The entry is updated to the closed state and an appropriate description is filled in. Sample Scenario #2 Alternatively, the ticket may also be created and closed all in the same operation. The configuration file is set up to create and close a ticket when an ADMIN_RESET_SUCCESS event occurs. The %TICKET% variable is not required in this case. The status of the ticket is changed to a closed state directly after it is created. operation(ADMIN_RESET_SUCCESS) { append good bad { "Choice" = "1" "psynch user" = "%USERID%" "Resolved Description" = "auto-closing ticket. account reset." "Assigned To" = "%USERID%" "Name" = "%USERNAME%" "Short Description" = "Reset %USERID%'s P-Synch Account" "Long Description" = "Admin Reset of %USERID%'s (%USERNAME%) P-Synch account by %ADMINID%" "P-Synch User" = "%USERID%" "Status" = "4" "Priority" = "1" "Case Type" = "1" "Source" = "2" "Summary" = "Reset" 20 December 05 M-Tech P-Synch / ID-Synch Integration Note Page 16 M-Tech Information Technology, Inc. "Category" = "Security/Admin" "Type" = "Other" "Item" = "Password Reset" "Submitter" = "P-SynchAdmin" } [good] success [bad] failure "Couldn't create call record" } The results of this configuration file would be as follows: An employee named Joe has forgotten his password and is unable to login to P-Synch. Joe calls the help desk. Jane answers his call. She logs in to P-Synch and resets his password to a standard value. This is an ADMIN_RESET_SUCCESS event. A new ticket is created in the AR System database for Joe, and then is immediately closed because the password has been successfully reset. Joe may now login to P-Synch. These scenarios demonstrate the usefulness of the integration of P-Synch and the AR System. Had this integration not existed, Jane would have had to create the ticket with all of the required information when Joe called. She would also have had to make all of the necessary updates and close the entry. In a company where this type of password related entry occurs often, the time saved by having entries created and updated automatically is tremendous. ID-Synch Integration Let’s refer to the sample scenario #2 above with Joe and Jane. If the AR System had been integrated with ID-Synch using the SOAP web service, Jane would not have needed to log in using the P-Synch user interface. Instead, Jane only needs to open the company’s custom AR System form, supply her credentials, and reset Joe’s passwords. Similarly, Jane could potentially do all account management functions, such as creating or deleting accounts, all through AR System forms that are customized to the company’s liking. Jane may alternatively also centrally perform many AR System account management functions directly from the P-Synch and ID-Synch interfaces. Several processes may be put in place to provision new AR System user accounts, delete existing accounts, as well as update user attributes and reset passwords. Endnotes M-Tech Information Technology, Inc and BMC Software produced this integration note to assist customers with joint BMC Software/M-Tech implementations. BMC Software and M-Tech Information Technology, Inc have made an effort to ensure that the information contained in this document is accurate, but do not guarantee any accuracy now or in the future. P-Synch and ID-Synch are registered trademarks of M-Tech Information Technology, Inc. Remedy and AR System are registered trademarks or trademarks of BMC Software, Inc. All other trademarks are the property of their respective owners. ©M-Tech Information Technology 2005. Rights to reproduce this document by written permission of M-Tech Information Technology only. 20 December 05 M-Tech P-Synch / ID-Synch Integration Note Page 17