Safeguard Reference Manual (G06.24+, H06.03+ )

ManualsBrandsHP ManualsServerHP Integrity NonStop H-Series

511

512

513

514

515

516

517

518

519

520

Event-Exit-Process Commands

Safeguard Reference Manual—520618-013

15-31

User Database Synchronization

subjected to custom validation. Rules that supplement the Safeguard password

controls can be applied to password validation. If password rules are disabled in the

Safeguard configuration record, validation by the password-quality exit effectively

replaces Safeguard password controls.

The password-quality exit is separate from the authentication-exit, and it is not invoked

by the Safeguard software during an authentication event. Its sole purpose is password

validation. To make use of the password-quality exit during authentication, the

authentication process must be written so that it calls or incorporates the logic of the

password-quality exit.

The $ZSMP process receives password requests from the PASSWORD program when

a password is created or changed. It also receives these requests from the following

Safeguard commands: ADD USER, ALTER USER, ADD ALIAS, and ALTER ALIAS.

The $ZSMP routes these requests to the event-exit process if ENABLE-PASSWORD-

EVENT is ON. If ENABLE-AUTHENTICATION-EVENT is OFF when ENABLE-

PASSWORD-EVENT is ON, the $ZSMP also sends password changes that occur

during interactive logon dialog.

The event-exit process can only accept or deny the password. It can also send a

message to accompany the acceptance or denial. The event-exit process cannot

return generated passwords and engage in additional dialog for this event.

Timeout Policy for Password-Quality Requests

If the event-exit process does not respond to a request within the configured time

interval, $ZSMP assumes that a problem has occurred and continues processing as

follows.

If the password-quality request is from an undeniable user when a timeout occurs, the

request is removed from the outstanding queue, and the attempt is allowed to proceed

with the Safeguard software performing the password-quality check. Super-group

members are considered undeniable users. An EMS message indicates an undeniable

user has timed out, thereby prompting the undeniable user to disable the

malfunctioning event-exit process.

If the password-quality request is from a deniable user when a timeout occurs, the

attempt is denied. An EMS message indicates a deniable user has timed out, thereby

indicating a problem with the event-exit process.

User Database Synchronization

The event-exit process is responsible for synchronization between its own user

database and the Safeguard user database. To maintain consistency between the two

databases, the user files need to be synchronized in these situations:

•

During system startup (The event-exit user files must be initialized from the

Safeguard user files.)

•

When Safeguard user and alias authentication records are added or altered