Reconcile Password

Overview

Passwords in the Vault must be synchronized with corresponding passwords on remote devices to ensure that they are constantly available. Therefore, the CPM runs a verification process to check that passwords are synchronized. If the verification process discovers passwords that are not synchronized with their corresponding password in the Vault, the CPM can reset both passwords and reconcile them. This ensures that the passwords are resynchronized automatically, without any manual intervention.

The platform contains rules that determine whether automatic reconciliation will take place when a password is detected as unsynchronized, or whether it is launched only through a manual operation by an end user/system admin. A reconciliation account password that will be used to reset the unsynchronized password can be defined either in the platform or at account level. We strongly recommend that you store this account in a separate Safe, where it is only accessible to the CPM for reconciliation purposes.

During password verification, the CPM plug-ins return a list of predefined errors to the CPM. Each platform specifies the specific errors that will launch a reconciliation process for passwords linked to that platform. This enables each enterprise to specify its own prompts for reconciling passwords and gives maximum flexibility to individual needs.

During password reconciliation, the unsynchronized password is replaced in the Vault and on the remote device with a new password that is generated according to the relevant platform.  As soon as reconciliation is finished successfully, all standard verifications and changes can be carried out as usual. Users can see details of the last reconciliation process in the Operational Views in the Accounts List.

Define a reconciliation account password

Define a reconciliation password at either of the following levels:

Platform – All accounts attached to a specific platform will use the reconciliation account password specified in the platform. For more information, refer to Reconcile passwords.
Account – A reconciliation account password can be defined at account level and will override the account specified in the platform.

  1. Display the Account Details page for the account to link to a reconciliation account.

  2. In the CPM pane, either link the current account to an existing account or create a new one.

    To link to an existing reconciliation account password:

    1. Click Associate; the Accounts list appears.

    2. Select an account to use as the reconciliation account password, then click Associate.

    3. The selected account is linked to the current account and its name appears in the CPM pane of the account's Account Details page.

    To create a new reconciliation account password:

    1. Click Create New; the Add Reconcile Account page appears.

    2. Define the new reconcile account password, then click Link; the new password is created and its name appears in the CPM pane of the password’s Password Details page.

Reconcile a password automatically

Users who belong to the Vault Admins group can configure password verification processes in the platform settings page. The Vault Admins group must be an owner of the CPM Safe with the following authorizations:

Retrieve accounts (files)
Update password (file) value

  1. Click ADMINISTRATION to display the System Configuration page, then click Platform Management to display a list of supported target account platforms.

  2. Select the platform to configure, then click Edit; the platform settings page for the selected platform appears.

  3. In the Password Reconciliation parameters, specify the parameters that determine the automatic reconciliation process for passwords linked to the platform.

For more information about these parameters, refer to Reconcile passwords, in Automatic Account Management.

Reconcile a password manually

Although password reconciliation processes can be scheduled to take place automatically at regular intervals, a reconciliation process can also be initiated manually in the PVWA by users who have the following Safe member authorizations:

Initiate CPM password management operations

Users who belong to the Vault Admins group can configure password reconciliation processes in the platform settings page. The Vault Admins group must be an owner of the CPM Safe with the following authorizations:

Retrieve accounts
Update password value

  1. In the Accounts list, click the account to reconcile and display the Account Details page.

  2. In the toolbar, click Reconcile; a confirmation box appears prompting you to confirm the password reconciliation process.

  3. Click OK; the password is marked for reconciliation and the CPM will reconcile it during the next password management cycle. The CPM tab displays a message indicating that the password will be reconciled.

    You can cancel the reconciliation process any time before it occurs.