Password Management

Last modified on 2022/05/28 10:54

Contents

Types of passwords
Notes
Caution
List of administration tables and files secured using passwords
Procedures

Note:

This documentation is intended for Service Manager on-premises customers.
SaaS customers should submit a change request to the EasyVista Support team to enable encryption or to force the reset of employee passwords.

Definition

To access Service Manager resources and services, user authentication is required. Secure access is ensured using a login and reinforced when users are required to enter an encrypted password.

Passwords are used in certain configuration files and administration tables for employees and integration models. See the types of passwords.
EasyCrypt is a tool shipped with the Service Manager setup. It must be used for encrypting passwords.
You can implement an Employee password policy with constraints for defining passwords. See the procedure.

EndDefinition

Types of passwords

Administration passwords

They are used to ensure secure access to EasyVista services.
They are stored in the configuration files of EasyVista services and in certain tables in the EVO_ADMIN and EVO_DATA databases. See the list of administration tables and files secured using passwords.
They are encrypted when Service Manager is installed. You can update them using EasyCrypt. See the encryption procedure.

Employee passwords

They enable you to check the identity of users requesting access to a resource or service that requires authentication, e.g. Service Manager, the Technical Support Agent, the Service Manager REST API, etc.
They are stored in the AM_EMPLOYEE table in the EVO_DATA database.
You can enable encryption by defining the configuration in the A_COMPANY table in the EVO_ADMIN database. See the procedure.
Once you have enabled encryption:
- All new passwords will automatically be encrypted.
- All existing passwords must be encrypted using EasyCrypt. See the encryption procedure.

Integration model passwords

They are used to log in to the databases queried by integration models.
They are stored in integration models in the connection strings of databases.

Notes

You can manage employee access using an LDAP directory or an SSO tool. In this case:
- The passwords defined in the LDAP directory or SSO tool will be used instead of those defined in Service Manager.
- Only passwords for external service providers authorized to access Service Manager should be defined via employee access management.
- In Other Parameters, you should activate the parameter called {ADMIN} Enable double authentication to check whether users missing from the LDAP directory or SSO tool are defined in Service Manager.

For users not managed in an LDAP directory or SSO tool:
- You can assign passwords to users using the Change Password wizard in employee access management. See the procedure.
- Users can change their own password in the user information zone.
- Users who have forgotten their password can recover it using the Service Manager login window.

Passwords are always entered in plain text when users log in to Service Manager.
- Their password is encrypted in a transparent way when they request access to Service Manager.
- Access is authorized if the encrypted password is identical to the encrypted password stored in the database.

Caution

For security reasons and to safeguard data confidentiality, only administrators are authorized to implement employee password encryption.

You should always perform a backup of the EVO_DATA database before implementing the encryption of employee passwords.
If you want certain users to change their password on a regular basis, you can force passwords to expire manually. Define a query to select the relevant users.

List of administration tables and files secured using passwords

File/Table	Attribute
smoBackOffice.cfg	[POP3 Connect] \| [SQL Connection]
smoServer.ini	Password
smoTranslator.ini	Password \| Owner_Password
EVO_ADMIN.A_COMPANY	ADMIN_PWD \| CONFIG_OWNER_PASSWORD \| CONFIG_PASSWORD \| DATAONLINE_OWNER_PASSWORD \| DATAONLINE_PASSWORD \| REFERENCE_OWNER_PASSWORD \| REFERENCE_PASSWORD \| LDAP_PWD
EVO_ADMIN.A_PARAMETERS	BackOffice_Owner_Password \| BackOffice_Password \| DOCUMENT_SHARE_PASSWORD \| FTP_PASSWORD \| PORTAL_PWD \| PROCEDURE_OWNER_PASSWORD \| PROCEDURE_PASSWORD \| SMTP_PASSWORD \| SMTPPassword
EVO_DATA.AM_PARAMETER	MAPI_PASSWORD
EVO_DATA.SD_MAILBOX	User_password

Procedures

How to implement employee password encryption

Note: Only for encrypting passwords of users not managed in an LDAP directory or SSO tool.

Caution: For security reasons and to safeguard data confidentiality, only administrators are authorized to implement this procedure.

Prerequisites: Perform a backup of the EVO_DATA database.

Step 1: Enable employee password encryption.

1. Run the query below in SQL Server Management Studio.

Note: Replace {your_account} with the Service Manager account where the passwords must be encrypted.
example 50004: Production base; 50005: Sandbox database

UPDATE [EVO_ADMIN].[EZV_ADMIN].[A_COMPANY]
SET crypt_pass=1
WHERE company_account={your_account}

2. Restart EasyVista services in the order indicated below.

Best Practice icon.png Use Desktop shortcuts to restart the application (start EZV, stop EZV and restart EZV). You can also use the Service Manager to restart the services in the order indicated below.

Stopping services

net stop smoScheduler
net stop smoAstService
net stop smoPrintServer
net stop TSmoMonitoringService
net stop EasyVistaKernel
net stop EasyVistaServer
net stop SMO_Server
net stop SMOBroker

Restarting services

net start SMOBroker
net start SMO_Server
net start EasyVistaServer
net start EasyVistaKernel
net start TSmoMonitoringService
net start smoPrintServer
net start smoAstService
net start smoScheduler

Step 2: Batch encrypt existing passwords.

1. Save the existing non-encrypted passwords in a CSV file.

2. Use EasyCrypt to encrypt all of the passwords in the CSV file.

Open url.png See How to use EasyCrypt (Batch encrypt passwords contained in a CSV file)

All passwords will be encrypted and saved in a new CSV file.

Step 3: Store passwords in the am_employee table.

StoreEmployeeCryptedPasswords

1. Define an integration model.

Use the Employee connector.
Select the CSV file containing the encrypted passwords as the data source.
Map the fields for the passwords and for the salt if you selected the With Salt option during the hashing process.

2. Run the integration.

All of the passwords in the AM_EMPLOYEE table will be replaced with the encrypted passwords.

EndStoreEmployeeCryptedPasswords

How to define an Employee password policy

Note:

Password definition rules apply only to passwords stored in the AM_EMPLOYEE table.
Only for users not managed in an LDAP directory or SSO tool.

Step 1: Run the dedicated wizard.

1. Select Administration > Access Management > Employees in the menu.

2. Run the Definition of Password Policies wizard.

Caution: The configuration defined in the wizard applies automatically to all users, even if you only make a partial selection of users in the list of employees.

Password Policies wizard - Off.png

Step 2: Define the password expiration rules.

1. Select the Enable password expiration box.

The mandatory fields for managing password expiration will appear.

2. Define the password expiration rules to be applied to your company.

If you want users to change their password on a regular basis, specify the frequency for doing so.

If you want users to change their password when they next log in to Service Manager, select the Force all passwords to expire box.

Step 3: Define the password definition rules.

1. Select the {ADMIN} Enable data entry constraint for passwords box to activate the password policy.

The mandatory fields for defining the constraints will appear.

Password Policies wizard.png

2. Define the password definition rules to be applied to your company.

Define the constraint using a regular expression. By default: six characters minimum ({6,}) and any character accepted (.).

In the Description of Constraint field, enter the error message to be displayed if users do not meet the password definition constraints.

3. Test the constraint on passwords.

Enter a password in the Strings to be tested column.
Click Test the Constraint.
Check that the result is equal to 1. This means that the string meets the data entry constraints.
Make the required modifications to the constraint if the result is equal to 0, because that means that an error occurred.

Step 4: Enable the Employee password policy.

1. Click Finish.

In Other Parameters, the parameter called {ADMIN} Enable data entry constraint for passwords will be updated with the value of the regular expression.
The password definition rules will take effect when users next log in to Service Manager.
When passwords are due to expire:
- The last update date of the password will reset to blank in the AM_EMPLOYEE table (PASSWD_LAST_UPDATE_UT field).
- An email will be sent to each user with a new temporary password.

Step 5: Users are required to change their password that is due to expire.

1. When passwords are due to expire, the Service Manager login window will display a message asking users to enter a new password.

2. Users must change their password.

Users must enter the temporary password sent by email in the Previous password field.
Users must enter and confirm their new password in plain text in the relevant fields and click OK.

The last update date for the password will be refreshed in the AM_EMPLOYEE table.
The new password will be encrypted and stored in the AM_EMPLOYEE table.

How to assign a password to a user

Note: Only for users not managed in an LDAP directory or SSO tool.

Step 1: Select the Employee form.

1. Select Administration > Access Management > Employees or Directory > Employees in the menu.

2. Select the relevant user.

Step 2: Enter the new password for the user.

1. Run the Change Password wizard.

2. Enter and confirm the password to be assigned to the user.

3. Click Finish.

An email will be sent to the user with the new password.
The new password will take effect when the user next logs in to Service Manager.

How to change your own password

Note: Only for users not managed in an LDAP directory or SSO tool.

1. Click the user information zone Fundamentals - User management zone - Little.png in the top banner.

2. Select Password close icon.png Change my Password.

3. Enter your previous password.

4. Enter and confirm your new password.

5. Log out of Service Manager.

6. Log in again using your new password.

How to request a new password if the password is forgotten

Note: Only for users not managed in an LDAP directory or SSO tool.

Step 1: Request a new password.

1. Click Forgot your Password? in the Service Manager login window.

2. Enter your Service Manager login or email address.

3. Click Send.

An email with a temporary password will be sent to your Service Manager inbox.

Step 2: Enter a new password.

1. Log in to Service Manager using the temporary password sent by email.

Note: If you use this password once the validity period has been exceeded, the login page will invite you to enter and replace it immediately.

2. Enter your new password.

Click Change my Password in the user information zone.

Enter the temporary password sent by email in the Previous password field.
Enter and confirm your new password.
Click OK.

Your previous password will be reset and will no longer be usable.

Tags:

Password Management

Definition

EndDefinition

Types of passwords

Notes

Caution

List of administration tables and files secured using passwords

Procedures

How to implement employee password encryption

StoreEmployeeCryptedPasswords

EndStoreEmployeeCryptedPasswords

How to define an Employee password policy

How to assign a password to a user

How to change your own password

How to request a new password if the password is forgotten

Help

Shortcuts

Navigation