| |
P-Synch is a commercial product from M-TECH Mercury Information Technologies Inc. that provides password management and SecurID management via a self-service web interface. The product is in use at Princeton University as well as at PPPL.
P-Synch allows users to define one password for multiple systems and to change or reset that password. Additionally, if a user has a SecureID badge for remote access to PPPL, P-Synch provides the user with mechanisms to manage the token and to troubleshoot and correct access problems. Service is provided 24/7.
Systems currently under P-Synch password management are UNIX Cluster/E-mail, PPPL Windows 2000 Domain, and SecureID badges. Future addition of other systems such as the Timesheets and Business Systems is anticipated.
Note that passwords expire annually. When your password(s) next expires, you will be required to change it using this utility.
From inside the lab, you must have either a known UNIX password or a working SecureID badge to access P-Synch. If you have a working SecureID badge but have forgotten your password, you can reset your password. However, if you have forgotten your password and do not have a working SecureID badge, you must call the Help Desk (x2275) for assistance.
From outside the lab, if your SecurID badge is not working, follow this procedure:
Once again, if you have forgotten your password and do not have a working SecureID badge, you must call the Help Desk (x2275) for assistance.
P-Synch expects your PPPL UNIX Cluster/ Mail account name as the P-synch Login ID. This account name is usually composed of the first letter of your first name followed by up to 7 characters of your last name. For example, the P-Synch account name for Steve Davis is 'sdavis'. Since account names are truncated at eight characters, Lew Randerson's account name is 'lranders'.
When you first access P-Synch and display the top level page, you will be asked to log in using this account name in order to get started. To access P-Synch, open your browser and enter the following url in the address window:
|
http://password.pppl.gov/ |
|
Princeton Plasma Physics Laboratory |
|
|||||||||
|
|
Administrator login
The authentication page displays next. This page gives you the option of entering your Unix Cluster/Mail account password or your SecurID pin+tokencode to identify yourself.. The preferred method of authentication is via the SecurID token. You should use your Unix Cluster/Mail account password only when your token is not working - that is, when it is necessary to gain access in order to manage your SecurID and resync the token to the SecurID server, or to reset your pin if you have forgotten it, or to get a set of emergency numbers to use.
For our example,
let's authenticate with a SecurID pin+token:
|
Princeton Plasma Physics Laboratory |
Steve Davis (SDAVIS) |
|
|||||||||
|
|
Selecting Use SecurID token brings up this page:
|
|
Princeton Plasma Physics Laboratory |
Steve Davis (SDAVIS) |
|
|
Back
to top
After entering your 4-digit pin plus your token code, click Continue. If you are successful, you can now use P-synch to manage passwords or tokens. The page displays the options shown below:
|
Princeton Plasma Physics Laboratory |
Steve Davis (SDAVIS) |
|
||||||||||||||||||||
Passwords
Select Pick a new password for our example:
|
Princeton Plasma Physics Laboratory |
Steve Davis (SDAVIS) |
|
|||||||||||||||
Select one of the passwords from the pull down list or pick a password that follows the password policy rules. Enter the same password again to confirm the change and then hit the change your password button. If the password you select does not conform to the password policy rules, the page will display which specific rule was not met and you may enter another revised password.
If successful a new page is displayed that confirms the change in green at the top of the page and what accounts were changed. If the password update failed on one or more systems it reports the failure message in red at the top of the page and displays what accounts failed. You may exit or return to the P-Synch main page from this page.
Accounts
The Accounts option is used to view the accounts you have in P-Synch but a users ability to add an account has been disabled. It can be done by helpdesk personnel.
If you had selected Manage my token(s) the page display looks like:
|
Princeton Plasma Physics Laboratory |
Steve Davis (SDAVIS) |
|
|||||||||||||||||||||
|
|
Managing SecurID Tokens
P-Synch allows users who have SecurID tokens to manage their tokens. Specifically, P-Synch is configured to allow users to do any of the following:
Enabling (activating) a new token
To enable a new token:
Disabling a lost or stolen token
To disable a lost or stolen token:
Getting emergency access codes for temporary use
To get emergency access codes for temporary use, if you need access to a system protected by SecurID but don’t have your token with you:
Clearing emergency access mode
To clear emergency access mode, if you found your token:
Setting a new PIN
To set a new PIN for your token, especially if you have forgotten your current PIN:
Resynchronizing a token with the ACE/SECURID server
To resynchronize your token because you have had more than 3 consecutive log fails (which locks out your token with the ACE/SECURID server) or because the internal timer on the token is out of sync with the server.
Special Note:
If you resync your tokencode, enter only the token code displayed on the token. The PIN is not needed here --- only the token code. Enter a second token code to finish the resync. If the resync was successful, it will display in green at the top of the page.
