P-Synch by M-Tech Information Technology, Inc. ID

Transcription

P-Synch by M-Tech Information Technology, Inc. ID
P-Synch by M-Tech Information Technology, Inc.
ID-Synch by M-Tech Information Technology, Inc.
Product Category: Password Management/Provisioning
Validation Date: TBD
Product Abstract
M-Tech software streamlines identity management: the administration of user authentication and
access privileges across an enterprise. M-Tech's identity management platform consists of two
tightly integrated products: P-Synch and ID-Synch.
P-Synch is a total password management solution that can synchronize user passwords across all
systems and platforms; enforce enterprise-wide password strength policies; allow support staff to
reset passwords on every system, with no special administrative rights, and allow authenticated
users to reset their own forgotten passwords. P-Synch reduces support costs while improving
network security.
ID-Synch is an account management tool that simplifies the routine tasks of multi-system
directory management. It can be used to create, update and delete login IDs based on input from
an authorization workflow engine, central user administration console or rules-based provisioning
system.
P-Synch’s password management functionality includes:
Secure
•
•
•
•
management of passwords using any web browser:
End-user password synchronization
Help desk password reset
User password self-reset
Enterprise password policy enforcement
Extended native password management tools:
•
Available for Windows 2000, .Net, NT, LDAP, RACF, ACF2, Top Secret, and Unix
•
Enforces enterprise password policy natively
•
Automatically propagates new passwords to other systems
RSA SecurID PIN management features:
•
Set SecurID/ACE accounts to "New PIN" mode
•
Initialize or change the PIN number for the tokens
•
Temporarily enable or disable the security tokens
•
Enable and disable emergency access mode for the SecurID/ACE accounts
P-Synch's four most popular modes of operation:
•
Transparent synchronization:
o native user password changes on Win 2000, NT, LDAP, RACF and Unix are
automatically extended to other systems.
•
Web synchronization:
o users synchronize their passwords on all systems from a web browser.
•
User self-service password reset:
o users are authenticated by some means other than passwords, and are able to
reset their own passwords.
•
Help desk reset:
o support staff authenticate callers and reset their passwords from a web browser.
20 December 05
M-Tech P-Synch / ID-Synch Integration Note
Page 1
M-Tech Information Technology, Inc.
Integration Summary
P-Synch Integration
The integration between P-Synch and the Remedy AR System automatically updates existing call
records (also called “requests or “entries”) when P-Synch is used by a help desk operator and
automatically creates call records from self-service events. This eliminates redundant data entry,
streamlines the password problem resolution process, and provides management with effective
call and problem statistics.
Many events that occur when using P-Synch can be configured to create a new call record or
modify an existing one. Using this option, help desk personnel can track events that have
occurred in P-Synch and take appropriate action. If the appropriate options are configured, the
help desk user can correct a problem within P-Synch and have a specific call record updated or
closed automatically. Along with this functionality, information from specific call records can be
retrieved and sent, via e-mail, to a specified list of recipients, thus providing immediate
notification.
Figure 1: Integration Between P-Synch/ID-Synch and the Remedy AR System
Events in P-Synch occur when a user performs an action. This may be, for example, a failed
password change or a successful password reset. P-Synch supports 105 possible actions.
Whenever an event takes place, the P-Synch server follows these steps:
1.
Check if an interface program has been associated with this event; if so, start it.
2.
The interface program reads a log describing the actions taken by the user.
3.
The interface program reads a script file.
4.
The section in the script file describing the particular event is found.
5.
The actions for that section are performed. This includes the ability to search for data in
the help desk system, add data to the help desk system, iterate through the information
from the event log, send e-mail messages, etc.
20 December 05
M-Tech P-Synch / ID-Synch Integration Note
Page 2
M-Tech Information Technology, Inc.
ID-Synch Integration
ID-Synch Interface
ID-Synch supplies agents that integrate with the various versions of AR System. These agents
allow administrators to perform various operations such as creating or deleting AR System user
accounts, listing and/or updating accounts and user attributes, and performing password
verifications and resets.
ID-Synch will automate and simplify the tasks of provisioning new users and managing existing
users across several different target systems, including Remedy AR System.
Core ID-Synch features include:
•
Automatic Propagation of Changes from Authoritative to Target Systems
•
Self-service Authorization workflow for Change Requests
•
Consolidated and Delegated User Administration
•
Consolidated Reporting and Auditing
Additional ID-Synch features include:
•
Group Membership Management
•
Fulfillment Engine
•
Administration for Physical Devices
•
Access Control System
•
Directory Cleanup
•
Automatic Account Discovery
•
Self-service Login ID Reconciliation
SOAP Web Service
ID-Synch also supplies a SOAP (Simple Object Access Protocol) web service that provides a
method for SOAP clients to access a number of P-Synch/ID-Synch functionalities. The ID-Synch
web service now supports numerous methods, ranging from password management to account
management functionalities. For example, it is possible to create, update and delete login IDs
using the ID-Synch web service. ID-Synch integrates with the AR System Server by using SOAP
as shown in Figure 1.
The ID-Synch SOAP service can be used by any SOAP client toolkit conforming to the SOAP
standards. The ID-Synch web service and its method of access are described in a supplied WSDL
(Web Service Description Language) file. The AR Server has a built-in web services integration
that can handle Soap Requests and Responses based on a supplied WSDL file. The data being
exchanged between ID-Synch and the AR System would need to be mapped between the AR
System’s forms and the ID-Synch web service as described in the Developing AR System
Applications: Advanced guide.
When the ID-Synch web service receives a SOAP request from the AR System, it:
1. parses the SOAP request
2. performs the operations requested with the data supplied, and
3. sends a response to the AR System indicating the results of the operations
The AR System then parses the response and stores or displays the information.
20 December 05
M-Tech P-Synch / ID-Synch Integration Note
Page 3
M-Tech Information Technology, Inc.
Support Information
The integration described in this note is supported by M-Tech Information Technology, Inc.
M-Tech Information Technology, Inc develops, markets, and supports the installation of P-Synch
/ ID-Synch and its integration with BMC Software products.
System Requirements
The following M-Tech software and BMC Software application must be installed and operating
correctly prior to the integration:
•
Remedy AR System 3.x, 4.x, 5.x, or 6.x (AR System 5.x or later required for Web Services)
•
M-Tech P-Synch 6.x / ID-Synch 4.x
Server Requirements
•
Microsoft Windows NT 4.0 (with Service Pack 4 or later), Windows 2000.
•
20 MB of available disk space, plus additional space for each managed client’s data.
•
32 MB of RAM.
Client Requirements
•
Windows 2000 or 2003.
•
10GB SCSI Disk.
•
256 MB of RAM.
Detailed AR System requirements and supported platforms can be found at
http://supportweb.remedy.com/Rem/IssuesAndSolutions/CompatibilityMatrix/index.jsp.
Contact Information
M-Tech Information Technology, Inc.
#500, 1401 - 1st Street S.E.
Calgary, Alberta, Canada T2G 2J3
Phone:
403-233-0740
Fax:
403-233-0725
Email:
[email protected]
Website: www.mtechIT.com
20 December 05
BMC Software, Inc.
1030 West Maude Avenue
Sunnyvale, CA 94085-2810
Phone:
408-571-7000
Fax:
408-571-7001
Email:
[email protected]
Website: www.remedy.com
M-Tech P-Synch / ID-Synch Integration Note
Page 4
M-Tech Information Technology, Inc.
Integration Details
Pre-installation Steps
Prior to integrating P-Synch or ID-Synch and AR System, you must perform the following steps:
1.
Ensure that you install the Remedy AR System client for the AR System that you will be
targeting. Also test the connectivity between the client and the AR System.
2.
Create an account on the Remedy AR System that is allowed to reset user passwords.
3.
Edit the system PATH on the P-Synch or ID-Synch server to include the AR System
installation directory (default is C:\Program Files\AR System\User for AR System 6.x
and C:\Program Files\AR System for previous versions).
4.
Reboot the computer to ensure that the system PATH is updated.
P-Synch Integration
Once the AR System User module and P-Synch are installed, you can integrate them. The steps
to perform this are as follows:
•
Determine which interface program you will be using. AR System 3.x, 4.x, 5.x, and 6.x
require “pxrem3.exe”, “pxrem4.exe”, “pxrem5.exe”, and “pxrem6.exe” as their interface
programs, respectively.
•
Set the P-Synch system variable(s) for the event(s) to be tracked to the interface program
chosen in the previous step. This is performed through P-Synch’s help desk module
(nph-psa.exe). After logging in, select the “Configure P-Synch” option. Select the “Web
Modules” option from the screen that follows, and then “Help Desk” to view the options
shown in the screen shot shown below. For desired system variables that execute an exit
trap program, click the “On” radio button and enter the interface program name in the
“Value” box. Click “Update” to enable the selected system variables. For more
information on setting system variables see the P-Synch Installation and Configuration
Guide.
20 December 05
M-Tech P-Synch / ID-Synch Integration Note
Page 5
M-Tech Information Technology, Inc.
•
Add an operation section for each of the selected system variables to the configuration
file. For more information as to how to complete the configuration file see see the Help
Desk Interface section in the P-Synch Installation and Configuration Guide. Sample
operations are also provided in the sample scenarios section of this document.
AR System Schema Information
When writing the configuration file, there are utilities called schmrem5.exe (AR System 5.x) and
schmrem6.exe (AR System 6.x) that list the required and optional fields for each of the forms on
the AR System. These utilities create a file containing the schema information for each field. The
field names as well as the information such as the data types, limits, and values for enumeration
lists are provided. This utility is helpful when writing the configuration file (such as pxrem6.cfg)
since these fields may be used directly for use with the events. It is also used by the automated
P-Synch event action configuration interface.
•
For example, schmrem6.exe is run with the following arguments:
schmrem6.exe -t <targetID> -l <filename>
•
Sample output of the schema information:
"Status" "Status" = {
"default value" = "0"
"requirement" = "required"
"type" = "enumeration"
"enum" "" = {
"0" = "New"
"1" = "Assigned"
"2" = "Fixed"
"3" = "Rejected"
"4" = "Closed"
}
}
For additional information regarding the operation of schmrem5.exe or schrem6.exe, see the PSynch Installation and Configuration Guide.
Event Action Configuration Interface
The configuration file may also be auto-generated for AR System version 5 or 6 via the event
action configuration interface. To do so, perform the following steps:
•
Select the "Configure P-Synch" option, then "Event Actions".
•
From the Event configuration page, click the "Target systems" button. Select "Remedy
ARS 5.x" or "Remedy ARS 6.x" and the AR System target. Click Add.
•
Psupdate must now be run in order to generate the schema list file (schmrem5.exe or
schmrem6.exe generates this file).
•
Once psupdate is complete, go back to the Event configuration page, select an event that
you wish to configure and click the Add button.
•
Click "Configure" next to "Remedy ARS 5.x" or "Remedy ARS 6.x". On the next page,
choose a custom AR System form that will be used for the event.
•
The next page is where you choose which fields will be used for the configuration script,
such as pxrem6.cfg, as well as their values. After clicking the Update button, the fields
and their values will be written to the pxrem6.cfg file, which can be found in the
<instance>\bin directory. It is now ready to be used with the specified event.
For more information on configuring event actions, see the Configuring E-mail and Other Event
Actions in the P-Synch Installation and Configuration Guide.
20 December 05
M-Tech P-Synch / ID-Synch Integration Note
Page 6
M-Tech Information Technology, Inc.
ID-Synch Integration
ID-Synch Interface
One of the operations that may be performed by ID-Synch is to be able to create a new AR System
user account. To do so, perform the following steps.
Enter your ID-Synch administrator login ID.
Enter your ID-Synch administrator password.
20 December 05
M-Tech P-Synch / ID-Synch Integration Note
Page 7
M-Tech Information Technology, Inc.
Create a new Remedy AR System target on the ID-Synch server. To do so, click the “Home”
button, and then select the “System configuration” link, followed by “Targets”, and then “Target
systems”. The target address may simply be specified as the server name of the Remedy AR
System. See the ID-Synch Installation and Configuration Guide for more options regarding the
specification of the target address. Ensure that the “Login IDs are case-sensitive” option is
checked.
20 December 05
M-Tech P-Synch / ID-Synch Integration Note
Page 8
M-Tech Information Technology, Inc.
Set the administrative ID and password for the Remedy AR System administrator, which was
created in the pre-installation steps.
Run the automatic update process to retrieve the list of Remedy AR System users.
20 December 05
M-Tech P-Synch / ID-Synch Integration Note
Page 9
M-Tech Information Technology, Inc.
Optionally, create authorizers / locations / object types / templates / roles for provisioning new
Remedy AR System users.
20 December 05
M-Tech P-Synch / ID-Synch Integration Note
Page 10
M-Tech Information Technology, Inc.
Create a new Remedy AR System user by following the steps outlined for a new user profile.
20 December 05
M-Tech P-Synch / ID-Synch Integration Note
Page 11
M-Tech Information Technology, Inc.
Existing user profiles may also be viewed and modified.
SOAP Web Service
Once the AR System User module and ID-Synch are installed, you can integrate them. The steps
to perform this are included in the SYNCHAPI documentation, but a summary of the steps is as
follows:
The steps to integrate ID-Synch and the AR System are included in the ID-Synch Remote API
documentation, but a summary of the steps is as follows:
•
Set up an administrator on the ID-Synch server; for example: psadmin. This user will be
used to login to the ID-Synch web service.
•
Obtain the WSDL file supplied with ID-Synch and update the generic URL with the real
URL to the installed ID-Synch web service.
•
Create forms and filters on the AR System to consume the ID-Synch web service. To do
so, follow the AR System’s documentation on consuming web services.
20 December 05
M-Tech P-Synch / ID-Synch Integration Note
Page 12
M-Tech Information Technology, Inc.
Example Logon Screens
ID-Synch Self-Service Interface
Enter your Remedy AR System login ID.
Enter your Remedy AR System password.
20 December 05
M-Tech P-Synch / ID-Synch Integration Note
Page 13
M-Tech Information Technology, Inc.
Use the self-service interface to reset and manage your Remedy AR System account and ID-Synch
profile.
P-Synch Self-Service Interface
Use the self-service interface to reset and manage your Remedy AR System account and P-Synch
profile.
20 December 05
M-Tech P-Synch / ID-Synch Integration Note
Page 14
M-Tech Information Technology, Inc.
Sample Scenario
P-Synch Integration
A company has installed P-Synch and the AR System and has set up the configuration file to
perform various entry creations and updates. Below are extractions from sample configuration
files showing the event configurations. Only the "operations" part of the script file is shown. Any
"global definitions" and "functions" would need to be added to the file above these "operations".
See the Help Desk Interface section in the P-Synch Installation and Configuration Guide for more
information. The following are two sample scenarios describing how P-Synch integrates with the
AR System.
Sample Scenario #1
The configuration file is set up to create a new entry when a FRONTEND_IDENTIFY_LOCKOUT
event occurs. It is also set up to update a ticket to a closed status when an
ADMIN_ENABLE_USER event occurs. Note that all fields that are specified in the operations
must previously exist for the AR System form and are able to be set with the specified values.
For this sample, you will also need to expose the ticket entry field in the P-Synch Help Desk
Module in order for help desk users to be able to enter the appropriate ticket number that they
are referencing to for the ADMIN_ENABLE_USER operation.
To do so, you will first need to copy the <instance>\design\examples\cgilogin.m4 file to the
<instance>\design\custom directory. Then, you must copy the A_LOGIN section from
<instance>\design\src\common\cgilogin.m4 to the custom cgilogin.m4 file. Uncomment
the entries referring to the ticket number. The next step will be to regenerate the P-Synch GUI
using the make commands; for example: “make en-us”, then “make install en-us”. For more
information regarding the make commands, consult the Customizing the User Interface section of
the P-Synch Installation and Configuration Guide. Once this has been completed, there will be a
new entry field on the Help desk login page (nph-psa.exe) for help desk users to be able to enter
in the ticket number. This value is stored in the %TICKET% variable that will be used in the AR
System configuration script (for example: pxrem6.cfg).
operation(FRONTEND_IDENTIFY_LOCKOUT)
{
append good bad
{
"Assigned To" = "%USERID%"
"Name" = "%USERNAME%"
"Short Description" = "%USERID% locked out of P-Synch"
"Long Description" = "%USERID% (%USERNAME%) locked themselves out of their
P-Synch account"
"P-Synch User" = "%USERID%"
"Status" = "0"
"Priority" = "1"
"Case Type" = "1"
"Source" = "2"
"Summary" = "Lock out"
"Category" = "Security/Admin"
"Type" = "Other"
"Item" = "Password Reset"
"Submitter" = "P-SynchAdmin" }
[good]
success
[bad]
failure "Couldn’t create call record for FRONTEND_IDENTIFY_LOCKOUT"
}
20 December 05
M-Tech P-Synch / ID-Synch Integration Note
Page 15
M-Tech Information Technology, Inc.
operation(ADMIN_ENABLE_USER)
{
search "Request ID" "%TICKET%" good bad
{
}
[good]
assign next bad
{
"Status" = "4"
"Resolved Description" = "Enabled the account for %USERID% by P-Synch
administrator %ADMINID%"
}
success
[bad]
failure "Couldn’t update call record for ADMIN_ENABLE_USER"
}
The results of this configuration file would be as follows:
An employee named Joe decides he would like to change his password. Unfortunately, when he
enters his old password the Caps Lock is on. After attempting to validate himself three
consecutive times he gets locked out of P-Synch. This is a FRONTEND_IDENTIFY_LOCKOUT
event. A new entry in the AR System is created with the specified type, priority, login name, etc.
All of these are fields within the company’s custom AR System form.
Joe then calls the help desk. Jane answers his call. She logs in to P-Synch as a help desk
administrator and enters the request ID of the previously created entry. She logs into P-Synch
and resets his password to a standard value. She then re-enables his profile id so that he is
allowed to once again log in. This is an ADMIN_ENABLE_USER event. The entry is updated to
the closed state and an appropriate description is filled in.
Sample Scenario #2
Alternatively, the ticket may also be created and closed all in the same operation. The
configuration file is set up to create and close a ticket when an ADMIN_RESET_SUCCESS event
occurs.
The %TICKET% variable is not required in this case. The status of the ticket is changed to a closed
state directly after it is created.
operation(ADMIN_RESET_SUCCESS)
{
append good bad
{
"Choice" = "1"
"psynch user" = "%USERID%"
"Resolved Description" = "auto-closing ticket.
account reset."
"Assigned To" = "%USERID%"
"Name" = "%USERNAME%"
"Short Description" = "Reset %USERID%'s P-Synch Account"
"Long Description" = "Admin Reset of %USERID%'s (%USERNAME%) P-Synch
account by %ADMINID%"
"P-Synch User" = "%USERID%"
"Status" = "4"
"Priority" = "1"
"Case Type" = "1"
"Source" = "2"
"Summary" = "Reset"
20 December 05
M-Tech P-Synch / ID-Synch Integration Note
Page 16
M-Tech Information Technology, Inc.
"Category" = "Security/Admin"
"Type" = "Other"
"Item" = "Password Reset"
"Submitter" = "P-SynchAdmin"
}
[good]
success
[bad]
failure "Couldn't create call record"
}
The results of this configuration file would be as follows:
An employee named Joe has forgotten his password and is unable to login to P-Synch. Joe calls
the help desk. Jane answers his call. She logs in to P-Synch and resets his password to a
standard value. This is an ADMIN_RESET_SUCCESS event. A new ticket is created in the AR
System database for Joe, and then is immediately closed because the password has been
successfully reset. Joe may now login to P-Synch.
These scenarios demonstrate the usefulness of the integration of P-Synch and the AR System.
Had this integration not existed, Jane would have had to create the ticket with all of the required
information when Joe called. She would also have had to make all of the necessary updates and
close the entry. In a company where this type of password related entry occurs often, the time
saved by having entries created and updated automatically is tremendous.
ID-Synch Integration
Let’s refer to the sample scenario #2 above with Joe and Jane. If the AR System had been
integrated with ID-Synch using the SOAP web service, Jane would not have needed to log in using
the P-Synch user interface. Instead, Jane only needs to open the company’s custom AR System
form, supply her credentials, and reset Joe’s passwords. Similarly, Jane could potentially do all
account management functions, such as creating or deleting accounts, all through AR System
forms that are customized to the company’s liking.
Jane may alternatively also centrally perform many AR System account management functions
directly from the P-Synch and ID-Synch interfaces. Several processes may be put in place to
provision new AR System user accounts, delete existing accounts, as well as update user
attributes and reset passwords.
Endnotes
M-Tech Information Technology, Inc and BMC Software produced this integration note to assist
customers with joint BMC Software/M-Tech implementations. BMC Software and M-Tech
Information Technology, Inc have made an effort to ensure that the information contained in this
document is accurate, but do not guarantee any accuracy now or in the future.
P-Synch and ID-Synch are registered trademarks of M-Tech Information Technology, Inc.
Remedy and AR System are registered trademarks or trademarks of BMC Software, Inc. All other
trademarks are the property of their respective owners.
©M-Tech Information Technology 2005. Rights to reproduce this document by written permission
of M-Tech Information Technology only.
20 December 05
M-Tech P-Synch / ID-Synch Integration Note
Page 17