Implementing dynamic Password change

Similar Messages

• How to implement Force password change during authentication

  Description of problem
  Our client requires web applications to support its internal security policy beyond
  normal authentication. This includes:
  - force password change periodically. This should be performed at logon time.
  - maintain password history so that a new password would not repeat any of its
  previous 15 changes.
  We already have an authentication server that satisfy these requirements. However,
  we would also like to base our solution on WebLogic security framework so that
  we can leverage the benefit of the container-managed declarative security (e.g.
  we don't need to use our special cookie to check whether a user is authenticated
  for every web page in the application). So the best scenario for us is to wrap
  up this authentication server using WLS 7.0 authentication SSPI.
  My initial investigation of WLS 7.0 security framework (based on edocs and the
  sample customer security provider codes) convinced me that overall, this is achievable.
  However, I am still left with quite a few questions, which I would like to get
  your help.
  Questions:
  1. (web container) The J2EE-standard container-based authentication is to specify
  <login-config> element. My understanding is that only FORM based authentication
  is applicable. The specified form elements:
  <form method="post" action="j_security_check">
  <INPUT TYPE="TEXT" NAME="j_username">
  <INPUT TYPE= "password" NAME="j_password">
  </form>
  is adequate for authentication. However, if the authentication service provider
  indicates that password change is needed, what would be the most appropriate way
  within WebLogic for the authentication service provider to pass such a flag to
  the web container know so that our application can access it? I guess, a simpler
  question, would be, using the standard <login-config>, webapp knows only about
  authentication fails or succeeds. Can it possibly know more information provided
  by the authentication service provider right after authentication?
  2) If we don't use standard FORM-based authentication, we will code up our own
  authentication control, which could give us a lot more flexibility, but can we
  then bind our Subject obtained through our authentication control to the WebLogic
  Subject that is running the webapp.
  3) (Authentication service provider) Our design is for the custom LoginModule
  to delegate login calls to the authentication server, and throws more refined
  exceptions such as: FailedLoginException, PasswordExpiredException, UserAccountLockedException
  (all subclassed from LoginException). Another approach is to provide detailed
  information such as password expired in callbacks. Either way, when Authentication
  service provider returns, how our web application can access this refined flag
  of authentication result.
  4) Can our customer authentication service provider use DataSource defined in
  a weblogic server? I ask this question because DataSource itself is a protected
  resource of WebLogic. Will referencing it during authentication initiate another
  authentication cycle?
  Can anyone who has experienced similar requirements and worked solutions please
  give me a hint? I appreciate your guidance.
  regards
  Licheng

  "Licheng" == Licheng <[email protected]> writes:
  Licheng> Description of problem
  Licheng> Our client requires web applications to support its internal security policy beyond
  Licheng> normal authentication. This includes:
  Licheng> - force password change periodically. This should be performed at logon time.
  Licheng> - maintain password history so that a new password would not repeat any of its
  Licheng> previous 15 changes.
  Licheng> ..
  Licheng> We already have an authentication server that satisfy these requirements. However,
  Licheng> we would also like to base our solution on WebLogic security framework so that
  Licheng> we can leverage the benefit of the container-managed declarative security (e.g.
  Licheng> we don't need to use our special cookie to check whether a user is authenticated
  Licheng> for every web page in the application). So the best scenario for us is to wrap
  Licheng> up this authentication server using WLS 7.0 authentication SSPI.
  I believe it's impractical to fit the requirement of forcing a password change
  into the standard JAAS interface.
  I think the only practical way to do this is to implement a servlet filter that
  reads the persistent record of the logged-in user to check for a "force change
  password flag". If it finds this, the servlet filter will forward to a page to
  change your password. Note that the servlet filter may be hit again when
  trying to get to the change password page, so it needs to know to not do the
  check in that case.
  If you implement this, I would strongly urge you to softcode the "change
  password" page URL in your system configuration, and not hardcode it in the
  servlet filter.
  ===================================================================
  David M. Karr ; Java/J2EE/XML/Unix/C++
  [email protected] ; SCJP; SCWCD

• How to implement dynamic language change in all Components

  Hi all,
  I`m quite confused because i have app in wich i create Language object it is singleton made using abstract factory used for querying text to be shown in components. I has simple method:
  public String getText(String fieldName) {}
  Wich returns text. I have also config object to know what desired language i want to have on startup. But problem occurs when i want to set dynamic language change during app run so all containers gets its texts again using language object (which is another type now). Do You have some ideas ??
  I thought about extending all JButtons,Frames,Labels etc... and adding method:
  void setYourText(Language l) { this.setText(l.getText(// and here we have problem because all fields have unique arguments for getText
  }

  I miss this thread.
  https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/6fdae690-0201-0010-a580-d104b459cb44
  This is almost the right solution for my problem.

• How to handle password changes if we implement singlesignon between BO& BI7

  Hi,
  As we know ,we can implement single signon between BO and SAP BI 7, by importing roles and users through CMC and by selecting the option "Use Single signon during report refresh time".
  My doubt here is, When we import roles from SAP and Auto import the users, is it only the SAP usernames that are stored in BO repository or both username and password. If  second case holds true then how to handle/manage password change for a user who is already imported in BO sometime back?
  Would the password changes be reflected automatically in BO?
  Please guide me if you think that I'm thinking in a wrong direction.

  Hi Naresh,
  password changes are reflected automatically in BO. BO just forwards the data to the SAP side and it does the real authentification.
  Regards,
  Stratos
  PS: Keep in mind that you cannot change the SAP password on the BO login screen if your SAP password has expired. You have to do this with the SAP client (SAP GUI)

• User Password change fails in OWA 2013

  User Password change fails in OWA with this error: Your password couldn't be changed. Make sure the old password you typed is correct and that the new password meets the minimum security requirements.
  We are migrating from Exchange 2007 to Exchange 2013.  Have mailboxes in both environments.  OWA 2007 password changes succeed (user mailbox is still in Exchange 2007).  When the user mailbox is moved to Exchange 2013, password changes fail
  with the above error.
  We have the Exch 2013 servers are on Windows 2012 and we are running Exch 2013 CU3.   We have made changes to the Default Role Assignment Policy to prevent users from changing Contact information and setting user photos, etc.  We are not exactly
  sure when user password changes stopped working, or even if they ever did work, although we recently installed our Prod Exch 2013 servers alongside our 2007 servers without any RBAC delegation implemented and a quick test of a user password change was successful.
  I reversed all the changes to the Default Role Assignment Policy but the password change still fails.

  Hi,
  Please try the following steps in your CAS server:
  1. Click Start > Run and type regedit and click OK.
  2. Navigate to the "HKLM\SYSTEM\CurrentControlSet\Services\MSExchange OWA" key.
  3. Set the ChangeExpiredPasswordEnabled value from 1 to 0.
  4. Close regedit and re-open it.
  5. Set the ChangeExpiredPasswordEnabled value from 0 to 1.
  6. Close regedit.
  7. After you configure this DWORD value, please reset IIS. The recommended method to reset IIS is to use IISReset /noforce from a command prompt.
  Here is the similar thread about password change issue in Exchange 2013 CU3, please refer to:
  http://social.technet.microsoft.com/Forums/en-US/30b74c81-9b98-46f4-9ca0-1c3bb74f4a3f/users-with-expired-passwords-or-change-password-at-next-logon-unable-to-change-password-via-owa-in?forum=exchangesvrclients
  Hope it helps.
  Thanks,
  Winnie Liang
  TechNet Community Support

• ORACLE Password Change using APEX FORM

  Greetings!
  I would like to find out, if there is a utility or a sample page that permits the Database password changes for the DB users within the Database. My goal is for users to maintain password using the Browser, instead of using SQL*Plus or similar Windows tools
  Thanks in advance for your help!
  Muni

  So if you and I can both authenticate to this application, we will necessarily have separate accounts, say in the Application Express account repository of that application's workspace. Our accounts will each have a password that is not synchronized with our database account password. The application will allow me (SCOTT) to change only the database account named SCOTT and will allow you (VIKAS) to change only the database account named VIKAS. That rule would make it unnecessary for the provided form to provide an input field for the database account name (it would be pre-populated). Unfortunately, the chosen authentication method requires each of us to remember our application password, and, if the application is built correctly, to remember our old database password as well. (Implementing that verification has its own issues.) If the application used LDAP then a mapping table would be needed to relate [email protected] to VIKAS. Every time a new database user needed the self-service password facility, a new user account (and a new password), and a new mapping table entry would have to be created. All of that complexity is eliminated if the application uses Database Account credentials authentication -- a new database user is created, the user can authenticate to the application and use it; the database user is removed, the user can no longer authenticate.
  Let's not confuse the aim of providing a self-service "change my database password" application (the original requirement) with the simpler task of providing a super-user-oriented database account management page (like we did in XE).
  Scott

• Password change from SSH in Cisco Secure ACS 4.1

  I am using cisco ACS for windows Release 4.1(1) Build 23 Patch 5.
  I have enable password aging for 30 days. after 30 days it is prompting me to change the password while i telnet to any client. it is working fine.\
  Recently we have disabled telnet in all network devices and using ssh instead of telnet.
  Am not able to change the password from putty. same if i connect through the telnet it is prompting to change the password.
  Because of this i am not able to access any network devices after 30 days.
  Suggestions will be greatly appreciated.
  Thanks in advance.

  Went through this painful exercise a couple
  weeks ago. You need to use the IOS 12.4
  K9 image on the routers because password change
  only supports on ssh version 2. See example
  below:
  [Expert@P1-NGx]# ssh -2 -l ngx1 192.168.15.248
  [email protected]'s password:
  Password change request
  Enter [email protected]'s old password:
  Enter [email protected]'s new password:
  Retype [email protected]'s new password:
  C3640>sh ver
  Cisco IOS Software, 3600 Software (C3640-JK9O3S-M), Version 12.4(13a), RELEASE SOFTWARE (fc1)
  Technical Support: http://www.cisco.com/techsupport
  Copyright (c) 1986-2007 by Cisco Systems, Inc.
  Compiled Tue 06-Mar-07 20:25 by prod_rel_team
  ROM: System Bootstrap, Version 11.1(20)AA2, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1)
  C3640 uptime is 1 week, 5 days, 13 hours, 5 minutes
  System returned to ROM by reload at 03:18:41 UTC Fri Nov 28 2008
  System restarted at 03:20:58 UTC Fri Nov 28 2008
  System image file is "flash:c3640-jk9o3s-mz.124-13a.bin"
  This product contains cryptographic features and is subject to United
  States and local country laws governing import, export, transfer and
  use. Delivery of Cisco cryptographic products does not imply
  third-party authority to import, export, distribute or use encryption.
  Importers, exporters, distributors and users are responsible for
  compliance with U.S. and local country laws. By using this product you
  agree to comply with applicable laws and regulations. If you are unable
  to comply with U.S. and local laws, return this product immediately.
  A summary of U.S. laws governing Cisco cryptographic products may be found at:
  http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
  If you require further assistance please contact us by sending email to
  [email protected].
  Cisco 3640 (R4700) processor (revision 0x00) with 98304K/32768K bytes of memory.
  Processor board ID 24829119
  R4700 CPU at 100MHz, Implementation 33, Rev 1.0
  2 FastEthernet interfaces
  4 Serial interfaces
  1 HSSI interface
  DRAM configuration is 64 bits wide with parity disabled.
  125K bytes of NVRAM.
  32768K bytes of processor board System flash (Read/Write)
  Configuration register is 0x2102
  C3640>
  Easy right?

• How to implement Dynamic SQL in DataService ??

  Hi,
  Is there any way in ALDSP to implement Dynamic SQL in Dataservice ?
  My scenario is "based on set of optional fields i need to join different tables.If the optional field is not there then i don't have to join with the corresponding table."
  Thanks

  Ah yes, I thought that looked familiar. It's same question from July 12.
  There is no way to generate Dynamic SQL in DSP XQuery. There is one query plan for each query. The query plan does not change based on the inputs.
  Using a FilterXQuery on top of a query actually generates a new query. You can play with that if you like, but it is not particularly suited to changing joins. Go with the ad hoc query.

• Password change timestamp attribute in OID 10.1.4???

  It's been suggested to me that release 10.1.4 of the OID would include a timestamp attribute that is updated every time the user changes their password. Does this exist? I know that the modifytimestamp attribute gets set everytime the user changes their password, but this won't work for our purpose because we also have a batch job that pushes account information changes to our OID from a Human Resources Department database, and this batch job can cause the modifytimestamp to be changed.

  Hi,
  you can easily implement this by adding a new objectclass to your users and defining such an attribute "pwdchangetime", in that objectclass.
  Now, to populate that attribute , you will need a post-modify plugin (java plugin). The plugin will run after each successfull password change operation and will update the attribute for that user.
  For an example on how to create such a plugin:
  Oracle® Identity Management Application Developer's Guide
  10g (10.1.4.0.1)
  Part Number B15997-01
  13.6 Java Plug-in Examples
  http://download-uk.oracle.com/docs/cd/B28196_01/idmanage.1014/b15997/java_server_plugins.htm#CHDIIIBI
  BR,
  Octavian

• Datastore - Dynamic password

  Hi,
  We are deploying dataservices and in QA environment, the target database password changes once in 2 weeks. We dont want to update the password to the datastore everytime as it requires manual intervention and also some of the jobs may fail till the time we update the password.
  Is there a way my datastore can have dynamic passwords and read them on the fly. I mean from a text file or so.
  Appreciate for your help.
  Thanks

  I have posted a possible way of doing this using al_engine  for datastore password
  http://www.forumtopics.com/busobj/viewtopic.php?t=150341
  I need to check if you could do the same for other properties, you can try that, check the ATL of the Datastore and see what is the tag name of the FTP password and try adding that also in the input XML and see if it works

• Implement new password policy

  Long story short, inherited an existing domain that has this below in place for their password policy.  I really need to get them into alignment with us, so I need to change this policy to the second one below.  But I know if just went and changed
  those settings, every user(there are only about 30 users) would get prompted to change their password the next time they logged in.  The domain is 2003, so I know that fine grain is not an option.  Is there anything I can do to lessen the blow,
  maybe some kind of script that changes the password last set or something like that??  I went and looked at the attribute on a few of these users, they haven't been set in about 8 years.
  Enforce password history   0 passwords remembered
  Maximum password age   0 days
  Minimum password age   0 days
  Minimum password length   4 characters
  Password must meet complexity requirements   Disabled
  Store passwords using reversible encryption   Disabled
  Enforce password history   10 passwords remembered
  Maximum password age   60 days
  Minimum password age    1 days
  Minimum password length   8 characters
  Password must meet complexity requirements   Enabled
  Store passwords using reversible encryption   Disabled

  "Lessen the blow" ??
  Do you mean for you (the admin who would need to deal with lockouts/resets)?
  Or do you mean for the 30 users ?
  I'd suggest that you try to implement in as few steps as possible. In my experience, progressively enabling password policy settings can be very confusing for end-users, when done in several phases.
  Keep it to two phases, is my advice.
  1) enable everything except aging/expiry
  2) encourage/warn your users that new criteria are in place (length, strength, etc)
  3) encourage your users to manually perform password change. This familiarises them with the length/strength requirements, and, you'll get them doing it at slightly different times, allowing them, and you, to handle the volume of assistance calls.
  4) enable aging after a few days or two weeks. This means that users who have opted-in early, will only need to deal with the expiry window in ~60 days, and will have been through it recently, and so will be familiar.
  Those users who didn't opt-in early via manual password change, will be hit with a forced-change and all-new length/strength concepts to deal with all at once. And you'll get calls from those people, because the Windows password policy dialogs/messages are
  quite awful.
  Also, consider the impact of your existing (or proposed) account lockout settings.
  If these users are technically-savvy (eg are software developers or whatever), they may have many logon sessions running, many devices with cached accounts, etc - this can cause a spike in your account-lockouts, and users who haven't changed passwords in a
  long time, often have many cached/saved/stored/concurrent sessions.
  We have around 1000 calls at helpdesk for password resets/unlocks per week in our estate. We do have a self-service password reset service. We still get calls. We introduced similar password policies to you, more than 10 years ago. It still causes hellish
  Monday spikes in reset/unlock calls.
  sigh.
  Don
  (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
  This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)

• RBACx Encrypted Password Change Utility

  Hi all,
  In the OIA/SRM installation guide, there is a reference to a tool, to find out the password of rbacxservice.
  "Oracle Identity Analytics utilizes an encrypted password when communicating with the database.
  To change the default database password, use the RBACx Encrypted Password Change Utility"
  Could you please help me finding out this tool.
  Many thanks in advance.
  Warm regards,
  Manipradeep Sunku.

  The mentioned tool only encrypts the password so that you don't have to store a plain text password in the config file. It does not decrypt it. The default rbacxservice password is rbacxservice.
  The tool does not come with the OIA/SRM distribution so if you need it, you will need to contact support.

• ACS 5.3 UCP Password Change

  Hi at all,
  i have a Problem with the UCP Webside Password Change.
  The Side is running without Problem. A Password Change for the normal User is also o.k.
  Here me Problem.
  I will use this Side also for our Admins to Change here Password but this User has also a Enable Password.
  Is it Possible to Change also this Password with the UCP Webside?
  Thanks for help.
  regards
  Andreas

  Hey Tushar,
  That is our current setup. Right now each user logs in with their AD credentials to get into user exec mode and the same password to get into privileged exec mode. I would like to have a user login with their normal AD credentials to get into user exec mode and a different password (specific to each user, not locally on the device) to login to privileged exec mode. We are doing this for security reasons. Hopefully that clarifys what I'm trying to do.
  Thanks

• Is autoconfig required to be run for apps password change

  Is autoconfig required to be run for apps password change -- We are only changing APPS and APPLSYS passwords.
  How to Change Applications Passwords using Applications Schema Password Change Utility (FNDCPASS or AFPASSWD) [ID 437260.1] -- does not mention anything about autoconfig.
  Please clarify.
  Thanks

  It's mentioned in the document twice
  1. For APPLSYSPUB/GUEST as you mentioned
  2. Under "Verify the new password" which cover the apps/applsys passwords
  If you search the doc for "AutoConfig" you will find it there.
  Thanks,
  Hussein

• Weblogic admin user password change w/o disrupting existing users

  Hi Folks,
  As a business policy we need to change the password of the admin user in weblogic after a cycle of specific period.
  Please let us now how can we do that without losing the other existing users in 'my realm.'
  I understand that we can use the weblogic.utils.security.AdminAcoount utility to give the new password, which will create a new DefaultAuthenticatorInit.ldift file in +<domain-home>/security+ folder (according to Doc ID 1082299.1).
  The password will change but the users in 'my realm' will be lost. (there are many users and it is a production environment so recreation is out-of- question)
  Is there a way we can retain the users and still proceed with the password change?
  Cheers,
  Jeegar

  Hi Jeegar,
  This can be doen by followin the standard procedure by login to console and navigate to :-
  DOMAIN_STRUCTURE--->Security Realm--->myrealm--->Users and Groups---->User tab click on the user weblogic
  --click on the password tab and put the new password there and save (password is changed for the user here)
  ---Logout from the console and login to the console again using the new password
  But when the server starts it do not read the password for the user directly from the realm rather it picked the same from the $DOMAIN_HOME/servers/AdminServer/security/boot.properties
  Now in order to make this change available when the server starts change the values for the username and password in boot.properties and specify them in plain-text and save the same.
  Now next time whenever the server will start it will pick up the new values from the boot.properties and once the same had been accepted those will be encrypted again.
  You might have to make the change for the boot.properties for all the Managed Server if you have the Managed Servers in the domain which will be located at the location $DOMAIN_HOME/servers/<<Managed Server Name>>/data/nodemanager/boot.properties
  You can test the steps on some lower environment first and try the same in Critical environment once the testing goes successful.
  Regards,
  Vijay
  Edited by: V Kumar on Oct 25, 2012 3:06 PM