000024353 - RSA Cleartrust / Access Manager Password Lockout and Lockout Email in Aserver Read-Only configurations

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000024353
Applies ToRSA ClearTrust Servers 5.5.x
RSA Access Manager Servers 6.0
Issue

Password Lockout and Lockout  Email in Aserver Read-Only configurations


Eserver managers lockout data and sending lockout email to administrators


Password Lockout Read-Only setting in aserver changed in Access Manager 6.0.  The name of the setting is different than that in 5.5.x.   This could cause failure of the lockout feature as well as sending of email on lockout. 

When user exceeds password failure count and is locked out, an email can be sent to the administrator of the group the user belongs to.

The email is sent to the address specified in the password policy (via ADMINGUI)  for that group.  The from address and other email settings must be set up in either aserver.conf or eserver.conf (smtp host, port login, from address).  The password lockout feature must also be enabled. cleartrust.aserver.password_lockout_enable=true

By default the aserver would write the failed login counts and set the locked flag and send the email.  If a read-only datastore is used by the authserver than there is a way for the authserver to send password lockout information to the eserver API port.  In this case the eserver would set the lockout information and send the email.  To facilitate this feature you must set the following to true:

In Cleartrust 5.5.x   (undocumented)  cleartrust.aserver.datastore.read_only=true

The name of this parameter was renamed in the 6.0 release

In Access Manager  6.0 (documented)  cleartrust.aserver.password_lockout_readonly=true

 

Resolution

For a 5.5.3 Installation.  The cleartrust.aserver.datastore.read_only=true  parameter is not found in documentation and needs to be set to enable the aserver to send the info to the eserver so that the eserver will manage writing the password lockout data and send the email notifications.  Also, the additional parameters are not in the conf file and must be manually added in.


For a 5.5.x to 6.0 upgrade which utilized this feature, may break and the old 5.5.x parameter name must be replaced with the new 6.0 parameter name.


For a new 6.0 installation the information is properly documented and all settings are found in the aserver.conf.
Notes

Additional settings for both releases were also required whose parameters names did not change. See example below.

Installation and Configuration Guide 5.5.3  Chap 11 pg 143, 6.0 Chap 11 pg 154 

     cleartrust.aserver.admin_api.hostname=eserver.example.com
     cleartrust.aserver.admin_api.port=5601
     cleartrust.aserver.admin_api.username=admin
     cleartrust.aserver.admin_api.password=admin1234
     cleartrust.aserver.admin_api.role=Default Administrative Role
     cleartrust.aserver.admin_api.admingroup=Default Administrative Group
     cleartrust.aserver.admin_api.use_ssl=anon

Legacy Article IDa34105

Attachments

    Outcomes