Service Account Password Complexity - Prod RSA
A recent security audit has flagged up a non-compliant finding which will require a remediation on high priority due to its critical nature.
The passwords for the below accounts should meet the complexity requirements as below.
If password is set for never expire , password length must be 20 characters and contains all four qualities i.e. upper case characters, lower case characters, numeric & special characters
10 Characters Password
- Auth Agent
- Authentication Agent
- Community Thread
- Forum Thread
- RSA SecurID
- RSA SecurID Access
Used a complex password such as P)g7dq)f%YbV~%8d/$%u (20 characters) having all four qualities i.e. upper case characters, lower case characters, numeric & special characters)
Updated the password for the account used for Active directory binding from the Operations console and it works fine.
Let me know if that helps answer your query
Thanks for the update, i am scared If i am changing the complex password that is having all 4 qualities from the operation console it will not broken the existing setup like Load balance web tier and Radius server and all authentication goes to the Active directory.please let me know. thanks..
Create a Test user that has a 20 character length password with the required complexity and ensure that user is available to RSA. Verify if that user is able to login to Self service console with an LDAP password to rule out any issues.
Thanks for the update. Could you please share the steps how we can test in the self service console if the user is able to login to self service console with an LDAP password.thanks.
In the Security Console - Setup - Self Service, there is a section for authentication methods to the Self Service Console.
Where you can set authentication Methods for the Self Service Console, including something like Either Token, or Password (either LDAP or user created in the Internal database). There is a similar setting for the Security Console.
When you access the Self Service console -
You are presented with options to either logon or even request an account
If you have configured a choice between Password and Passcode, when you enter your UserID, you will be presented to select which choice you want to logon with.
If you change the AD or LDAP service account password in AD or LDAP, you reflect that change in the Identity Source Configuration in the Operations console - Deployment Configuration
Thanks Prasanna. One more things we have 1 primary radius server and 2 replica server so while changing the complexity password from the Operation console, it will updated the primary radius server only or we need to change the password for the primary and 2 Replica server as well if yes please share the steps. thanks in advance