In many environments, passwords are set to expire after a period of time, usually for security purposes.
For example; Active Directory includes the GPO option "Maximum password age".
When a password expires it can no longer be used by CA PAM since it will fail to authenticate.
To ensure this never happens PAM has a Password Expiration feature that includes an option to force rotate passwords when they expire.
There are 2 main settings that need to be configured to enable password expiration.
The first part is to set the account up to have a maximum password age (expiration time).
This will only enable the date tracking feature and is not enough to make the passwords rotate automatically after the expiration.
The second part is to enable the automatic rotation once the passwords expire.
Part 1- Set account(s) to track password age/expiration:
Part 2 - Enable Automatic Update of Expired Passwords:
How does the automatic rotation work?
Once the password has expired it will be rotated automatically during the next job run. The expired password processor runs about every 12 hrs. The interval may be longer, if there are a lot of expired passwords to process. It starts a few minutes after a service restart, such as after a reboot, or when a cluster is turned on.
How can the current expiration status of an account be checked?
To check the status simply navigate to Credentials > Manage Targets > Accounts, then open the account and change to the Password tab. This will show the account information including expiration information like the examples below:
The account above is already expired, here are some examples of the other statuses that may be seen:
Tip: For an even safer configuration it is possible to set PAM to use an administrative account to rotate passwords instead of the account rotating its own password. This way in case there ever is a problem with the account's own password, the rotation should still work as long as the administrative account is still working.
Related Documentation:
Construct Password Composition Policies