Safeguard Reference Manual (G06.24+, H06.03+ )

ManualsBrandsHP ManualsServerHP Integrity NonStop H-Series

511

512

513

514

515

516

517

518

519

520

Event-Exit-Process Commands

Safeguard Reference Manual—520618-013

15-32

User Database Synchronization

•

When user records are added or altered in the event-exit database

•

When passwords are changed during authentication dialog with the event-exit

process

•

After the event-exit process has been stopped

General Procedure

Except for reading the Safeguard password field, all of these synchronization efforts

can be handled with the following Safeguard SPI commands: ADD USER/ALIAS,

ALTER USER/ALIAS, and INFO USER/ALIAS. Passwords must be handled in a more

complex manner, described in Password Synchronization on page 15-32.

The event-exit process is responsible for propagating to the Safeguard database any

changes that occur within its database. This can be accomplished using Safeguard SPI

or a SAFECOM script.

To propagate changes from the Safeguard user database to the event-exit user

database, the event-exit process must load its database using SPI INFO requests. This

provides all information except passwords.

To remain synchronized with the Safeguard database, the event-exit process must poll

the Safeguard database at reasonable intervals. The event-exit process must

determine if new users have been added since the last polling. It also must check the

last modified date in each user record to determine if the record matches that of the

corresponding user in its own database. If a user record has changed, the event-exit

process must collect the new information and mark the user in its own database if the

password has changed.

Similarly, if the event-exit was disabled while the Safeguard subsystem was running,

the event-exit process must poll the Safeguard database for changes.

Password Synchronization

The basic premise for database synchronization is that the event-exit process is

responsible for keeping passwords synchronized in the two user databases.

Safeguard passwords are stored in an encrypted form, and HP does not export its

encryption algorithm. The USER_AUTHENTICATE_ procedure is available to allow the

caller to validate a password against the Safeguard user database.

For the Safeguard subsystem to accept passwords from the event exit, it must be

configured in a manner consistent with the event exit’s password management. For

example, if the event-exit process is not applying the Safeguard password rules, the

password rules in the Safeguard configuration must be disabled. Otherwise,

passwords that are valid for the event exit are rejected when an attempt is made to file

them in the Safeguard database.

One way to synchronize passwords is to require that all users change passwords at

initial logon. The event-exit process can authenticate these users the first time through