How-to: Set Up Password Expiration in PAM
search cancel

How-to: Set Up Password Expiration in PAM

book

Article ID: 124013

calendar_today

Updated On: 07-11-2024

Products

CA Privileged Access Manager (PAM)

Issue/Introduction

In many environments, passwords are set to expire after a period of time, usually for security purposes.
For example; Active Directory includes the GPO option "Maximum password age".
When a password expires it can no longer be used by CA PAM since it will fail to authenticate.
To ensure this never happens PAM has a Password Expiration feature that includes an option to force rotate passwords when they expire.

Resolution

There are 2 main settings that need to be configured to enable password expiration.
The first part is to set the account up to have a maximum password age (expiration time).
This will only enable the date tracking feature and is not enough to make the passwords rotate automatically after the expiration.
The second part is to enable the automatic rotation once the passwords expire.

Part 1- Set account(s) to track password age/expiration:

  1. Navigate to: Credentials > Manage Targets > Password Composition Policies
  2. Create a new policy, or open an existing one for modification
  3. Enable the checkbox labeled "Maximum Password Age Enforcement"
  4. Choose a Maximum Password Age in the box labeled "Maximum Password Age Days"
    • Tip: To ensure the password never gets into a bad state it is a best practice to set PAMs expiration age to be at least 1 day shorter than the authentication source.
  5. Optionally configure/confirm other Password Composition options
  6. Click OK at the bottom of the form to save the policy
  7. Set this Password Composition Policy on the Target Application(s) that the required Target Account(s) belong to


Part 2 - Enable Automatic Update of Expired Passwords:

  1. Navigate to: Settings > Credential Manager > General Settings (tab)
  2. Enable the checkbox labeled "Automatically Update Expired Passwords"
  3. Click Save at the bottom of the screen

FAQ:

How does the automatic rotation work?
Once the password has expired it will be rotated automatically during the next job run. The expired password processor runs about every 12 hrs. The interval may be longer, if there are a lot of expired passwords to process. It starts a few minutes after a service restart, such as after a reboot, or when a cluster is turned on.


How can the current expiration status of an account be checked?
To check the status simply navigate to Credentials > Manage Targets > Accounts, then open the account and change to the Password tab. This will show the account information including expiration information like the examples below:



The account above is already expired, here are some examples of the other statuses that may be seen:

 

Additional Information

Tip: For an even safer configuration it is possible to set PAM to use an administrative account to rotate passwords instead of the account rotating its own password. This way in case there ever is a problem with the account's own password, the rotation should still work as long as the administrative account is still working.

Related Documentation:
Construct Password Composition Policies

Credential Manager Operation Settings

Use an Alternate Account to Change Passwords (Optional)