000018397 - How does RSA Access Manager / RSA ClearTrust calculate the password expiration date for users?

Document created by RSA Customer Support Employee on Aug 11, 2017
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000018397
Applies ToRSA Product Set: Access Manager, ClearTrust
RSA Product/Service Type: Authorization Server (AServer)
RSA Version/Condition: 5.0.1 - 6.2
IssueHow does RSA ClearTrust calculate users' password expiration date?
RSA ClearTrust password expiration date does not appear to match the password policy.
CauseRSA ClearTrust tracks two attributes in the user object to determine password expiration:
  • The password creation date - ctscPasswordCreationDate
  • The password expiration date - ctscPasswordExpirationDate
It also uses an attribute in the password policy object of the administrative group, ctscPolicyTimeOffset, to store the password lifetime. Depending on how the expiration date is set in the user object, ClearTrust may calculate the password expiration differently.
For users who have a password expiration date set only through a password policy, the password creation date attribute of the user object - ctscPasswordCreationDate - is used. ClearTrust calculates the password expiration dynamically based on the password creation date and the value of the password policy objects lifetime stored in the ctscPolicyTimeOffset attribute. If the users password has expired, the Entitlements Manager will display the date that the password expired. If the password is active, the date displayed in the Entitlements Manager will represent the date the password was created plus the number of days specified in the current password policy.
If you explicitly set a password expiration date in the Entitlements Manager for a specific user, the password expiration date attribute of the user object - ctscPasswordExpirationDate - is used. The expiration date will supercede any other settings you have defined for that user for the lifetime of the password. Any modification to the "Password Expires" field in the Entitlements Manager will enable this functionality. This expiration date is unrelated to any current password policy for that user's administrative group.
The following user attributes are set in ldap for each condition


The user's password expiration is being calculated by a password policy


  • ctscUserKeywords=NotExpired
  • ctscUserKeywords=PasswordPolicy
  • ctscPasswordCreationDate={This date is added to the ctscPolicyTimeOffset in the Password Policy to determine if the password has expired.}
  • ctscPasswordExpirationDate={This date is not used in the calculation, but holds the expiration date calculated from the policy when the user was created.  If the password policy has changed this date is not accurate.}


The user's password expiration has been set manually from the users screen


  • ctscUserKeywords=NotExpired
  • ctscUserKeywords=Forced
  • ctscPasswordCreationDate={This date is not used in the calculation, but is the date the password was last set.}
  • ctscPasswordExpirationDate={This date is used to calculate the expiration of the password  It is the absolute date when the password will expire.}


The user's password was set to "expire now" from the users screen


  • ctscUserKeywords=NormalForcedExpiration
  • ctscUserKeywords=Forced
  • ctscPasswordCreationDate={This date is not used in the calculation, but is the date the password was last set.}
  • ctscPasswordExpirationDate={This date is not used in the calculation, but instead holds the date the password was set to expire now.}
ResolutionIf you have previously set an explicit password expiration date on a user object and wish to return this user to the expiration date configured in the password policy, follow this procedure:
  1. Expire the user's password
  2. Give the user a new password so the password status displays as Active
If you have access to LDAP, you can identify users with explicit password expiration dates by the presence of a "ctsUserKeywords" attribute with the value "Forced".
WorkaroundA new password policy has been created for the administrative group
A users password date was manually changed in the user screen
A users password was set to expire now
Legacy Article IDa20173

Attachments

    Outcomes