AnsweredAssumed Answered

Service Account Password Complexity - Prod RSA

Question asked by Prashant Singh on Sep 4, 2019
Latest reply on Sep 16, 2019 by Sriranga Prasanna

Like • Show 0 Likes0
Comment • 11

Hi Team,

A recent security audit has flagged up a non-compliant finding which will require a remediation on high priority due to its critical nature.

The passwords for the below accounts should meet the complexity requirements as below.

If password is set for never expire , password length must be 20 characters and contains all four qualities i.e. upper case characters, lower case characters, numeric & special characters

Name	Type	Description	Owner	Comments
svcprd_sha_rsaldap	User	RSA LDAP	Atos	10 Characters Password

Please advise..

No one else has this question

Outcomes

11 Replies

Sriranga Prasanna Sep 5, 2019 9:14 AM
Mark Correct
Correct Answer
Used a complex password such as P)g7dq)f%YbV~%8d/$%u (20 characters) having all four qualities i.e. upper case characters, lower case characters, numeric & special characters)
Updated the password for the account used for Active directory binding from the Operations console and it works fine.

Let me know if that helps answer your query
Like • Show 1 Like1
Actions
Prashant Singh Sep 7, 2019 6:16 AM
Mark Correct
Correct Answer
Hi Prasanna,

Thanks for the update, i am scared If i am changing the complex password that is having all 4 qualities from the operation console it will not broken the existing setup like Load balance web tier and Radius server and all authentication goes to the Active directory.please let me know. thanks..
Like • Show 0 Likes0
Actions
- Sriranga Prasanna @ Prashant Singh on Sep 9, 2019 9:55 AM
  Mark Correct
  Correct Answer
  Create a Test user that has a 20 character length password with the required complexity and ensure that user is available to RSA. Verify if that user is able to login to Self service console with an LDAP password to rule out any issues.
  Like • Show 0 Likes0
  Actions
Prashant Singh Sep 9, 2019 10:03 AM
Mark Correct
Correct Answer
Hi Prasanna,

Thanks for the update. Could you please share the steps how we can test in the self service console if the user is able to login to self service console with an LDAP password.thanks.
Like • Show 0 Likes0
Actions
Jay Guillette Sep 9, 2019 11:17 AM
Mark Correct
Correct Answer
Prashant,
In the Security Console - Setup - Self Service, there is a section for authentication methods to the Self Service Console.
Where you can set authentication Methods for the Self Service Console, including something like Either Token, or Password (either LDAP or user created in the Internal database). There is a similar setting for the Security Console.

When you access the Self Service console -
https://am82p.vcloud.local:7004/console-selfservice/
You are presented with options to either logon or even request an account
If you have configured a choice between Password and Passcode, when you enter your UserID, you will be presented to select which choice you want to logon with.
Like • Show 0 Likes0
Actions
Prashant Singh Sep 9, 2019 11:47 AM
Mark Correct
Correct Answer
Thanks again Prasanna

How we can change the password for the account used for Active directory binding from the Operations console. Please share the steps..
Like • Show 0 Likes0
Actions
- Jay Guillette @ Prashant Singh on Sep 9, 2019 12:46 PM
  Mark Correct
  Correct Answer
  If you change the AD or LDAP service account password in AD or LDAP, you reflect that change in the Identity Source Configuration in the Operations console - Deployment Configuration
  Like • Show 0 Likes0
  Actions
Prashant Singh Sep 10, 2019 5:35 AM
Mark Correct
Correct Answer
Thanks Prasanna. One more things we have 1 primary radius server and 2 replica server so while changing the complexity password from the Operation console, it will updated the primary radius server only or we need to change the password for the primary and 2 Replica server as well if yes please share the steps. thanks in advance
Like • Show 0 Likes0
Actions
Sriranga Prasanna Sep 11, 2019 12:40 PM
Mark Correct
Correct Answer
The change is only to be made on the Primary RSA AM server.
Like • Show 1 Like1
Actions
Prashant Singh Sep 15, 2019 1:11 PM
Mark Correct
Correct Answer
Thanks Prasanna,

Today i have received the critical notification alert from RSA.

See the below details,we need to take any action on those alert please advise.
Critical Event Notification :
Attention! The following critical system event occurred: Failed to connect to LDAP Identity Source[KPMG Management Domain].

Regards,
Prashant Singh
Like • Show 0 Likes0
Actions
Sriranga Prasanna Sep 16, 2019 8:17 AM
Mark Correct
Correct Answer
Is this notification received post changes to the service account connecting from RSA to LDAP or is it independent of that activity?
Has the RSA services been restarted on the servers post the change of password?
This shall need additional investigation from the logs if the notification is received again. In that please open a case with us.
Refer- 000036161 - How to open a technical support case via the Case Management portal on RSA Link
Like • Show 0 Likes0
Actions

Service Account Password Complexity - Prod RSA

Outcomes

Related Content

Recommended Content