Password Management

Last modified on 2023/04/19 17:33

   The password management has security against brute force attacks.

Notes:

  • This documentation is intended for Service Manager on-premises customers.
  • SaaS customers should submit a change request to the EasyVista Support team to enable encryption or to force the reset of employee passwords.
Definition

To access Service Manager resources and services, user authentication is required. Secure access is ensured using a login and reinforced when users are required to enter an encrypted password.

  • Passwords are used in certain configuration files and administration tables for employees and integration models. Open url.png See the types of passwords.
  • EasyCrypt is a tool shipped with the Service Manager setup. It must be used for encrypting passwords.
  • You can implement an Employee password policy with constraints for defining passwords. Open url.png See the procedure.
EndDefinition

Types of passwords

Administration passwords

Employee passwords

  • They enable you to check the identity of users requesting access to a resource or service that requires authentication, e.g. Service Manager, the Technical Support Agent, the Service Manager REST API, etc.
  • They are stored in the AM_EMPLOYEE table in the EVO_DATA database.
  • You can enable encryption by defining the configuration in the A_COMPANY table in the EVO_ADMIN database. Open url.png See the procedure.
  • Once you have enabled encryption:
    • All new passwords will automatically be encrypted.
    • All existing passwords must be encrypted using EasyCrypt. Open url.png  See the encryption procedure.
       

Integration model passwords

  • They are used to log in to the databases queried by integration models.
  • They are stored in integration models in the connection strings of databases.

Notes

  • You can manage employee access using an LDAP directory or an SSO tool. In this case:
    • The passwords defined in the LDAP directory or SSO tool will be used instead of those defined in Service Manager.
    • Only passwords for external service providers authorized to access Service Manager should be defined via employee access management.
    • In Other Parameters, you should activate the parameter called {ADMIN} Enable double authentication to check whether users missing from the LDAP directory or SSO tool are defined in Service Manager.
  • Passwords are always entered in plain text when users log in to Service Manager.
    • Their password is encrypted in a transparent way when they request access to Service Manager. 
    • Access is authorized if the encrypted password is identical to the encrypted password stored in the database.
EmployeePasswordPolicy_SMandApps_Rules

  • Employee password policy:
    • It is defined by EasyVista.
    • It is displayed when users click the Forgot your Password? link to change their password, or when their user password is expired.
    • It includes rules that all users are required to respect for the entry of passwords: eight characters minimum, with at least one upper-case letter, one lower-case letter, one number and one special character.
    • You can only modify the minimum number of characters for password. The default value is defined in Other Parameters > {ADMIN} User passwords: minimum number of characters.
EndEmployeePasswordPolicy_SMandApps_Rules

Caution

  • For security reasons and to safeguard data confidentiality, only administrators are authorized to implement employee password encryption.
  • You should always perform a backup of the EVO_DATA database before implementing the encryption of employee passwords.
  • If you want certain users to change their password on a regular basis, you can force passwords to expire manually. Define a query to select the relevant users.

List of administration tables and files secured using passwords

File/Table Attribute
smoBackOffice.cfg [POP3 Connect]   |   [SQL Connection]
smoServer.ini Password
smoTranslator.ini Password   |   Owner_Password
EVO_ADMIN.A_COMPANY ADMIN_PWD   |   CONFIG_OWNER_PASSWORD   |   CONFIG_PASSWORD   |   DATAONLINE_OWNER_PASSWORD   |   DATAONLINE_PASSWORD   |   REFERENCE_OWNER_PASSWORD   |   REFERENCE_PASSWORD   |   LDAP_PWD
EVO_ADMIN.A_PARAMETERS BackOffice_Owner_Password   |   BackOffice_Password   |   DOCUMENT_SHARE_PASSWORD   |   FTP_PASSWORD   |   PORTAL_PWD   |   PROCEDURE_OWNER_PASSWORD   |   PROCEDURE_PASSWORD   |   SMTP_PASSWORD   |   SMTPPassword
EVO_DATA.AM_PARAMETER MAPI_PASSWORD
EVO_DATA.SD_MAILBOX User_password

Procedures

How to define an employee password policy

EmployeePasswordPolicy_SMandApps_Procedure

   The password management has security against brute force attacks.

  • The policy applies to all Service Manager and Service Apps users.

Notes:

  • Only for users not managed in an LDAP directory or SSO tool.
  • Password definition rules apply only to passwords stored in the AM_EMPLOYEE table, for both Service Manager and Service Apps users.
  • Passwords must satisfy at least the following requirements: eight characters minimum (you can set this value), with at least one upper-case letter, one lower-case letter, one number and one special character.

Step 1: Run the dedicated wizard.

1. Select Administration > Access Management > Employees in the Service Manager menu.

2. Run the Definition of Password Policies wizard.

Caution: The configuration defined in the wizard applies automatically to all users, even if you only make a partial selection of users in the list of employees.

          Password policy wizard.png

Step 2: Define the password expiration rules.

1. Select the Enable the password expiration box.

The required fields for managing password expiration will appear.

2. Define the password expiration rules to be applied to your company.

  • If you want users to change their password on a regular basis, specify the frequency for doing so.
  • If you want users to change their password when they next log in to Service Manager/Service Apps, select the Expire all passwords now box.
     

Step 3: Define the password definition rules.

1. You can only modify the minimum number of characters for passwords.

You can not modify the other rules: at least one upper-case letter, one lower-case letter, one number and one special character.

Note: The default value of the minimum number of characters for passwords is defined in Other Parameters > {ADMIN} User passwords: minimum number of characters.

Step 4: Enable the Employee password policy.

1. Click Finish.

  • The password definition rules will take effect when users next log in to Service Manager/Service Apps.
  • When passwords are due to expire:
    • The last update date of the password will reset to blank in the AM_EMPLOYEE table (PASSWD_LAST_UPDATE_UT field).
    • An email will be sent to each user with a new temporary password.

Step 5: Users are required to change their password that is due to expire.

1. When passwords are due to expire, the Service Manager/Service Apps login window will display a message asking users to enter a new password.

2. Users must change their password.

  • Users must enter the temporary password sent by email in the Previous password field.
  • Users must enter and confirm their new password in plain text in the relevant fields and click OK.
             Password - New.png
  • The last update date for the password will be refreshed in the AM_EMPLOYEE table.
  • The new password will be encrypted and stored in the AM_EMPLOYEE table.
EndEmployeePasswordPolicy_SMandApps_Procedure

How to assign a password to a user

Note: Only for users not managed in an LDAP directory or SSO tool.

Step 1: Select the Employee form.

1.  Select Administration > Access Management > Employees or Directory > Employees in the menu.

2. Select the relevant user.

Step 2: Enter the new password for the user.

1. Run the Change Password wizard.

2. Enter and confirm the password to be assigned to the user.

3. Click Finish.

  • An email will be sent to the user with the new password.
  • The new password will take effect when the user next logs in to Service Manager.

How to change your own password

Note: Only for users not managed in an LDAP directory or SSO tool.

1. Click the user information zone Fundamentals - User management zone - Little.png in the top banner.

2. Select Password close icon.png Change my Password.

3. Enter your previous password.

4. Enter and confirm your new password.

5. Log out of Service Manager.

6. Log in again using your new password.

How to request a new password if the password is forgotten

Note: Only for users not managed in an LDAP directory or SSO tool.

Step 1: Request a new password.

1. Click Forgot your Password? in the Service Manager login window.

2. Enter your Service Manager login or email address.

3. Click Send.

An email with a temporary password will be sent to your Service Manager inbox.

Step 2: Enter a new password.

1. Log in to Service Manager using the temporary password sent by email.

Note: If you use this password once the validity period has been exceeded, the login page will invite you to enter and replace it immediately.

2. Enter your new password.

  • Enter the temporary password sent by email in the Previous password field.
  • Enter and confirm your new password.
  • Click OK.

Your previous password will be reset and will no longer be usable.

How to implement employee password encryption

Note: Only for encrypting passwords of users not managed in an LDAP directory or SSO tool.

   For security reasons and to safeguard data confidentiality, only administrators are authorized to implement this procedure.

Prerequisites: Perform a backup of the EVO_DATA database. 

Step 1: Enable employee password encryption.

1. Run the query below in SQL Server Management Studio.

Note: Replace {your_account} with the Service Manager account where the passwords must be encrypted.
         example 50004: Production base; 50005: Sandbox database

UPDATE [EVO_ADMIN].[EZV_ADMIN].[A_COMPANY]
SET crypt_pass=1
WHERE company_account={your_account}

2. Restart EasyVista services in the order indicated below.

Best Practice icon.png  Use Desktop shortcuts to restart the application (start EZV, stop EZV and restart EZV). You can also use the Service Manager to restart the services in the order indicated below.

    Stopping services

  • net stop smoScheduler
  • net stop smoAstService
  • net stop smoPrintServer
  • net stop TSmoMonitoringService
  • net stop EasyVistaKernel
  • net stop EasyVistaServer
  • net stop SMO_Server
  • net stop SMOBroker

    Restarting services

  • net start SMOBroker
  • net start SMO_Server
  • net start EasyVistaServer
  • net start EasyVistaKernel
  • net start TSmoMonitoringService
  • net start smoPrintServer
  • net start smoAstService
  • net start smoScheduler
     

Step 2: Batch encrypt existing passwords.

1. Save the existing non-encrypted passwords in a CSV file.

2. Use EasyCrypt to encrypt all of the passwords in the CSV file.

    Open url.png  See How to use EasyCrypt (Batch encrypt passwords contained in a CSV file)

All passwords will be encrypted and saved in a new CSV file.

Step 3: Store passwords in the am_employee table.

StoreEmployeeCryptedPasswords

1. Define an integration model.

  • Use the Employee connector.
  • Select the CSV file containing the encrypted passwords as the data source.
  • Map the fields for the passwords and for the salt if you selected the With Salt option during the hashing process.

2. Run the integration.

All of the passwords in the AM_EMPLOYEE table will be replaced with the encrypted passwords.

EndStoreEmployeeCryptedPasswords
Tags:
Powered by XWiki © EasyVista 2022