|Applies To||RSA ClearTrust Servers 5.5.x|
RSA Access Manager Servers 6.0
Password Lockout and Lockout Email in Aserver Read-Only configurations
Eserver managers lockout data and sending lockout email to administrators
Password Lockout Read-Only setting in aserver changed in Access Manager 6.0. The name of the setting is different than that in 5.5.x. This could cause failure of the lockout feature as well as sending of email on lockout.
When user exceeds password failure count and is locked out, an email can be sent to the administrator of the group the user belongs to.
The email is sent to the address specified in the password policy (via ADMINGUI) for that group. The from address and other email settings must be set up in either aserver.conf or eserver.conf (smtp host, port login, from address). The password lockout feature must also be enabled. cleartrust.aserver.password_lockout_enable=true
By default the aserver would write the failed login counts and set the locked flag and send the email. If a read-only datastore is used by the authserver than there is a way for the authserver to send password lockout information to the eserver API port. In this case the eserver would set the lockout information and send the email. To facilitate this feature you must set the following to true:
In Cleartrust 5.5.x (undocumented) cleartrust.aserver.datastore.read_only=true
The name of this parameter was renamed in the 6.0 release
In Access Manager 6.0 (documented) cleartrust.aserver.password_lockout_readonly=true
For a 5.5.3 Installation. The cleartrust.aserver.datastore.read_only=true parameter is not found in documentation and needs to be set to enable the aserver to send the info to the eserver so that the eserver will manage writing the password lockout data and send the email notifications. Also, the additional parameters are not in the conf file and must be manually added in.
For a 5.5.x to 6.0 upgrade which utilized this feature, may break and the old 5.5.x parameter name must be replaced with the new 6.0 parameter name.
For a new 6.0 installation the information is properly documented and all settings are found in the aserver.conf.
Additional settings for both releases were also required whose parameters names did not change. See example below.
Installation and Configuration Guide 5.5.3 Chap 11 pg 143, 6.0 Chap 11 pg 154
|Legacy Article ID||a34105|