Password Management
Definition
To access Service Manager resources and services, user authentication is required. Secure access is ensured using a login and reinforced when users are required to enter an encrypted password.
- Passwords are used in certain configuration files and administration tables for employees and integration models.
See the types of passwords.
- EasyCrypt is a tool shipped with the Service Manager setup. It must be used for encrypting passwords.
- You can implement an Employee password policy with constraints for defining passwords.
See the procedure.
EndDefinition
Types of passwords
Administration passwords
- They are used to ensure secure access to EasyVista services.
- They are stored in the configuration files of EasyVista services and in certain tables in the EVO_ADMIN and EVO_DATA databases.
See the list of administration tables and files secured using passwords.
- They are encrypted when Service Manager is installed. You can update them using EasyCrypt.
See the encryption procedure.
Employee passwords
- They enable you to check the identity of users requesting access to a resource or service that requires authentication, e.g. Service Manager, the Technical Support Agent, the Service Manager REST API, etc.
- They are stored in the AM_EMPLOYEE table in the EVO_DATA database.
- You can enable encryption by defining the configuration in the A_COMPANY table in the EVO_ADMIN database.
See the procedure.
- Once you have enabled encryption:
- All new passwords will automatically be encrypted.
- All existing passwords must be encrypted using EasyCrypt.
See the encryption procedure.
Integration model passwords
- They are used to log in to the databases queried by integration models.
- They are stored in integration models in the connection strings of databases.
Notes
- You can manage employee access using an LDAP directory or an SSO tool. In this case:
- The passwords defined in the LDAP directory or SSO tool will be used instead of those defined in Service Manager.
- Only passwords for external service providers authorized to access Service Manager should be defined via employee access management.
- In Other Parameters, you should activate the parameter called {ADMIN} Enable double authentication to check whether users missing from the LDAP directory or SSO tool are defined in Service Manager.
- For users not managed in an LDAP directory or SSO tool:
- You can assign passwords to users using the Change Password wizard in employee access management.
See the procedure.
- Users can change their own password in the user information zone.
- Users who have forgotten their password can recover it using the Service Manager login window.
- You can assign passwords to users using the Change Password wizard in employee access management.
- Passwords are always entered in plain text when users log in to Service Manager.
- Their password is encrypted in a transparent way when they request access to Service Manager.
- Access is authorized if the encrypted password is identical to the encrypted password stored in the database.
EmployeePasswordPolicy_SMandApps_Rules
- Employee password policy:
- It is defined by EasyVista.
- It is displayed when users click the Forgot your Password? link to change their password, or when their user password is expired.
- It includes rules that all users are required to respect for the entry of passwords: eight characters minimum, with at least one upper-case letter, one lower-case letter, one number and one special character.
- You can only modify the minimum number of characters for password. The default value is defined in Other Parameters > {ADMIN} User passwords: minimum number of characters.
EndEmployeePasswordPolicy_SMandApps_Rules
Caution
- For security reasons and to safeguard data confidentiality, only administrators are authorized to implement employee password encryption.
- You should always perform a backup of the EVO_DATA database before implementing the encryption of employee passwords.
- If you want certain users to change their password on a regular basis, you can force passwords to expire manually. Define a query to select the relevant users.
List of administration tables and files secured using passwords
File/Table | Attribute |
---|---|
smoBackOffice.cfg | [POP3 Connect] | [SQL Connection] |
smoServer.ini | Password |
smoTranslator.ini | Password | Owner_Password |
EVO_ADMIN.A_COMPANY | ADMIN_PWD | CONFIG_OWNER_PASSWORD | CONFIG_PASSWORD | DATAONLINE_OWNER_PASSWORD | DATAONLINE_PASSWORD | REFERENCE_OWNER_PASSWORD | REFERENCE_PASSWORD | LDAP_PWD |
EVO_ADMIN.A_PARAMETERS | BackOffice_Owner_Password | BackOffice_Password | DOCUMENT_SHARE_PASSWORD | FTP_PASSWORD | PORTAL_PWD | PROCEDURE_OWNER_PASSWORD | PROCEDURE_PASSWORD | SMTP_PASSWORD | SMTPPassword |
EVO_DATA.AM_PARAMETER | MAPI_PASSWORD |
EVO_DATA.SD_MAILBOX | User_password |
Procedures
How to define an employee password policy
EmployeePasswordPolicy_SMandApps_Procedure
Step 1: Run the dedicated wizard.
1. Select Administration > Access Management > Employees in the Service Manager menu.
2. Run the Definition of Password Policies wizard.
Step 2: Define the password expiration rules.
1. Select the Enable the password expiration box.
The required fields for managing password expiration will appear.
2. Define the password expiration rules to be applied to your company.
- If you want users to change their password on a regular basis, specify the frequency for doing so.
- If you want users to change their password when they next log in to Service Manager/Service Apps, select the Expire all passwords now box.
Step 3: Define the password definition rules.
1. You can only modify the minimum number of characters for passwords.
You can not modify the other rules: at least one upper-case letter, one lower-case letter, one number and one special character.
Step 4: Enable the Employee password policy.
1. Click Finish.
- The password definition rules will take effect when users next log in to Service Manager/Service Apps.
- When passwords are due to expire:
- The last update date of the password will reset to blank in the AM_EMPLOYEE table (PASSWD_LAST_UPDATE_UT field).
- An email will be sent to each user with a new temporary password.
Step 5: Users are required to change their password that is due to expire.
1. When passwords are due to expire, the Service Manager/Service Apps login window will display a message asking users to enter a new password.
2. Users must change their password.
- Users must enter the temporary password sent by email in the Previous password field.
- Users must enter and confirm their new password in plain text in the relevant fields and click OK.
- The last update date for the password will be refreshed in the AM_EMPLOYEE table.
- The new password will be encrypted and stored in the AM_EMPLOYEE table.
EndEmployeePasswordPolicy_SMandApps_Procedure
How to assign a password to a user
Step 1: Select the Employee form.
1. Select Administration > Access Management > Employees or Directory > Employees in the menu.
2. Select the relevant user.
Step 2: Enter the new password for the user.
1. Run the Change Password wizard.
2. Enter and confirm the password to be assigned to the user.
3. Click Finish.
- An email will be sent to the user with the new password.
- The new password will take effect when the user next logs in to Service Manager.
How to change your own password
1. Click the user information zone in the top banner.
2. Select Change my Password.
3. Enter your previous password.
4. Enter and confirm your new password.
5. Log out of Service Manager.
6. Log in again using your new password.
How to request a new password if the password is forgotten
Step 1: Request a new password.
1. Click Forgot your Password? in the Service Manager login window.
2. Enter your Service Manager login or email address.
3. Click Send.
An email with a temporary password will be sent to your Service Manager inbox.
Step 2: Enter a new password.
1. Log in to Service Manager using the temporary password sent by email.
Note: If you use this password once the validity period has been exceeded, the login page will invite you to enter and replace it immediately.
2. Enter your new password.
- Click
Change my Password in the user information zone.
- Enter the temporary password sent by email in the Previous password field.
- Enter and confirm your new password.
- Click OK.
Your previous password will be reset and will no longer be usable.
How to implement employee password encryption
Prerequisites: Perform a backup of the EVO_DATA database.
Step 1: Enable employee password encryption.
1. Run the query below in SQL Server Management Studio.
Note: Replace {your_account} with the Service Manager account where the passwords must be encrypted.
example 50004: Production base; 50005: Sandbox database
SET crypt_pass=1
WHERE company_account={your_account}
2. Restart EasyVista services in the order indicated below.
Stopping services
- net stop smoScheduler
- net stop smoAstService
- net stop smoPrintServer
- net stop TSmoMonitoringService
- net stop EasyVistaKernel
- net stop EasyVistaServer
- net stop SMO_Server
- net stop SMOBroker
Restarting services
- net start SMOBroker
- net start SMO_Server
- net start EasyVistaServer
- net start EasyVistaKernel
- net start TSmoMonitoringService
- net start smoPrintServer
- net start smoAstService
- net start smoScheduler
Step 2: Batch encrypt existing passwords.
1. Save the existing non-encrypted passwords in a CSV file.
2. Use EasyCrypt to encrypt all of the passwords in the CSV file.
See How to use EasyCrypt (Batch encrypt passwords contained in a CSV file)
All passwords will be encrypted and saved in a new CSV file.
Step 3: Store passwords in the am_employee table.
StoreEmployeeCryptedPasswords
1. Define an integration model.
- Use the Employee connector.
- Select the CSV file containing the encrypted passwords as the data source.
- Map the fields for the passwords and for the salt if you selected the With Salt option during the hashing process.
2. Run the integration.
All of the passwords in the AM_EMPLOYEE table will be replaced with the encrypted passwords.