P-Synch FAQ for Network Architects

How does P-Synch® reset passwords?

P-Synch resets passwords by signing into the target system with sufficiently-privileged credentials, looking up a user record, setting the password attribute for that user and logging off from the target system.

At least one pair of user ID / password credentials are encrypted into the P-Synch database for each managed system.

On systems that support it, the P-Synch target administrator ID can be given just the rights to list users, look up users, reset passwords and set/clear related attributes such as intruder lockout.

P-Synch is web based. Client communication to the web server is HTTPS, while the server communicates with the managed systems directly using their various native protocols or via a P-Synch proxy server (128-bit AES encrypted TCP socket) or using a server-side agent (Unix, OS/390, RSA Authentication Managers) with the same TCP socket encryption.

How does P-Synch synchronize passwords?

Since passwords are typically hashed on each system in a non-reversible, fashion and since different systems use incompatible password hashes, password synchronization must be an active process that takes place whenever users change their passwords.

There are really just two ways to synchronize passwords. P-Synch supports both of the possible mechanisms for password synchronization:

Transparent synchronization:
P-Synch can be configured to intercept native password changes on certain systems and:
- Apply a password policy beyond the one built into the system where a native password change first happened and potentially reject the initial password change
- Automatically synchronize the user's other passwords, on other systems, to the same value
Systems that can trigger password synchronization are Windows NT, Active Directory (32-bit, 64-bit), Sun LDAP, IBM LDAP, Oracle Internet Directory, Unix (various), OS/390 and OS/400
Web-based synchronization:
Users authenticate to the P-Synch web GUI, using any browser, by keying in their NOS or directory ID and password. They can then set a single password on one or more of their own IDs on one or more systems.

What kind of database does P-Synch use?

In most deployments, P-Synch does not require an external database. Rather, it defers to current state on target systems as authoritative.

P-Synch uses a built-in identity cache to store system configuration information and to cache user profile data drawn from managed systems. The cache significantly improves the run-time performance of P-Synch, as it eliminates the need to repeatedly connect to managed systems or to an external directory, to look up the same user attributes again and again during the course of a session. The cache is not an authoritative data source -- it simply holds copies of user profile data close to the application, to improve performance.

The identity cache built into P-Synch:

Is not an authoritative source of data -- it is flushed nightly.
Stores data in an industry standard format (xBase/DBF), which most third-party query and reporting programs tools can read directly or through a standard Windows ODBC driver.
Note that third party software should only be used to query copies of P-Synch data files, not from the live dataset.
Is extremely fast (e.g., 1,000,000 record updates/second) and scalable (1 billion records/table).
Includes automatic data replication between multiple P-Synch servers (implemented by an included P-Synch data replication service), which provides for both scalability and high availability out of the box.

In P-Synch up to version 6.x and other products up to 4.x, the identity cache is implemented using the CodeBase embedded database engine. This is an open (ODBC-accessible, standard file format) system which does not require a separate software license or a DBA. It is installed as an integral component of P-Synch.

Starting with P-Synch version 7.x and other products 5.x, all in 2008, customers must choose either MS SQL Server or Oracle Database for holding the identity cache and other P-Synch data. The free "express" editions of these products are acceptable.

In almost all deployments, P-Synch rebuilds the internal identity cache nightly, by pulling information from target systems. This process is fault tolerant (i.e., failure to reach a target system causes older information to be retained).

Some organizations already have user profile data, such as login IDs for each user on each system or Q-A (Question-and-Answer) data suitable for user authentication, in an existing database or directory. P-Synch is designed to plug into existing user profile databases or directories (using LDAP, ODBC, etc.), looking up user data at run-time, as required.

A set of built-in plug-in programs is provided to draw user profile data from LDAP, Active Directory or any ODBC database. This can either be done in real-time, or in batch imports (for example, nightly).

What systems does P-Synch support?

(1)

Directories	File/print	Mainframes
LDAP (any), Active Directory, Windows NT domains, Novell eDirectory, Novell NDS, Unix NIS and NIS+, Kerberos/DCE (any)	Windows NT/2000/2003, Novell NetWare, OS2 LanManager, Samba	MVS / OS/390 / zOS, RACF, CA-ACF2, CA-TopSecret, VM/ESA, Siemens BS2000, Tandem NonStop, Unisys MCP
Unix	Midrange	Database
AIX, DGUX, Digital Unix, HPUX, IRIX, Linux, NCR, OSF4, SCO OS, Solaris, SunOS, Tru64, UnixWare, Unisys, passwd, shadow, Trusted Computing Base	HP MPE, OS/400/iSeries, OpenVMS	DB2/UDB, Informix, MSSQL, ODBC, Oracle, Sybase
ERP	Messaging	WebSSO
SAP R/3 4.0+, PeopleSoft 7.5+, Oracle Applications 11i+, JDE OneWorld	MS Exchange 5.5, MS Exchange 2000/03/07, Novell GroupWise, Lotus Domino/HTTP, Lotus Notes/ID files, HP OpenMail	IBM TAM, RSA ClearTrust, Entrust getAccess, CA SiteMinder, Oracle COREid, SAP portal
Flexible agents	Hardware tokens and Smartcards	Miscellaneous
API (application programming interface) integration, LDAP attributes, MQ Series, SQL commands, Telnet/TN3270/TN5250 sessions, Unix/Windows cmd-line integration, web forms, web services (SOAP, XML)	RSA SecurID, Secure Computing SafeWord, Vasco Digipass, GemPlus, Precise Biometrics	RADIUS (various), Local and cached Windows passwords. Peregrine ServiceCenter, Remedy ARS, Clarify eFrontOffice, NAI Magic, Tivoli ADSM, IBM OLAP, IBM Tivoli Access Manager Connected Backup

On what platform does P-Synch run?

P-Synch must be installed on a Windows 2003 server.

Installing on Windows 2003 allows P-Synch to leverage client software for most types of target systems, which is available only on the "Wintel" platform. In turn, this makes it possible for P-Synch to manage passwords and accounts on target systems without installing a server-side agent.

The P-Synch server must also be configured with a web server. Since the P-Synch application is implemented as CGI executables, any web server will work. The P-Synch installation program is aware of and can automatically configure IIS, Apache and Sun ONE web servers for use with P-Synch.

P-Synch is a security server and should be locked down accordingly. Please refer to the Hitachi ID document about hardening P-Synch servers to learn how to do this.

In what ways can P-Synch be customized?

(2) (3) The entire P-Synch user interface is customizable and translatable. This includes graphical changes, text changes, layout changes, language translations, etc. No user interface elements are hard-coded into P-Synch.

User interface customization is simple to implement. Common elements, such as page layout and HTML preambles, are factored out into standard macros using a publicly-available macro language (M4). Modifications made to M4 files are propagated across the entire user interface, without having to touch or understand product source code.

Note that M4 amounts to 3 keywords. It is not something that administrators really have to learn -- what they really need to know is HTML and CSS.

An override mechanism is used to clearly separate user interface customizations from the core UI. In most cases, customizations survive upgrades to P-Synch with little or no administrative correction.

Note: P-Synch administrators wishing to customize the P-Synch user interface should be familiar with HTML and CSS.

A number of system variables change program behavior -- for example setting password policy, intruder lockout policies, non-password authentication rules, etc. All system variables survive product upgrades.

All P-Synch behavioral modifications are made using exit points. Exit points are external programs, called by P-Synch, that are sent very strictly defined inputs and whose outputs are interpreted to modify P-Synch behavior. For example, plug-in program can be used to:

Look up a user's login ID profile
Look up a user's authentication data profile
Assign a new login ID to a newly created user profile
Validate workflow request attributes
Assign appropriate authorizers to a workflow request
Find new authorizers to whom a request will be escalated due to non-response from the original authorizers

Externalizing behavioral modifications to exit-trap programs has two benefits:

It is significantly easier for Hitachi ID customers to adjust P-Synch behavior.
Customizations automatically survive P-Synch upgrades.

(4) Over 163 exit points are available. Exit points enable an external program to propagate information from a P-Synch process to an external system -- such as sending an e-mail to the user or a creating, updating or closing a ticket in a call tracking system.

Exit points may be triggered by authentication attempts, success or failure; user profile lookup; successful or failed user profile updates; intruder lockouts; system configuration changes; partial or total task completion; etc.

Various pre-built binaries are included with P-Synch for this purpose, supporting integration with systems such as:

Axios Assyst
BMC (formerly NAI) Magic (any version)
CA Unicenter Help Desk
Clarify eFrontOffice (currently just version 8)
FrontRange HEAT (any version)
HP Service Desk
Peregrine ServiceCenter (any version)
BMC/Remedy ARS (any version)
Siebel ERM (any version; using web services)
SupportSoft (any version; using web services)
Tivoli Problem Management / Service Desk (any version)
... and more

In addition to exit points, which by definition have a unidirectional data flow from P-Synch to another system, there are also numerous plug-in points, which specify behavioral changes and are bidirectional That is, data flows back into P-Synch from an external system, via an upgrade-proof protocol. Examples include:

Accessing and updating user profile data in external directories using LDAP or SQL.
Leveraging external authentication systems, such as RSA SecurID tokens or authentication databases, such as HR systems.
Limiting what user profiles and accounts help desk analysts and local security officers can access.
Assigning standards-compliant login IDs to new users.
Validating inputs on security access change requests.
Routing security change requests to appropriate authorizers.

How does P-Synch compare to the "password reset disk" in Windows XP and .NET?

Starting with Windows XP, users can create a "password reset disk" whenever they change their passwords.

If a user forgets his login password, he can log into his workstation by typing his login ID but leaving the password field blank and instead inserting a previously-created password reset disk.

This feature is helpful for home users, but is significantly less useful than self-service password reset with P-Synch:

Does not work for domain users: The password reset disk feature does not work for domain passwords -- only local ones.
Inconvenient: Users must create a new disk whenever they change their passwords. In comparison, users register with P-Synch just once.
Inconvenient: Mobile must carry the password reset disk with them. In comparison, users can access P-Synch from any computer, at any time.
Insecure: Anyone who can touch the password reset disk can steal or copy it and subsequently log into the user's account. There is no comparable vulnerability in P-Synch.