How to issue Initial Random Application passwords for new users?
search cancel

How to issue Initial Random Application passwords for new users?


Article ID: 52408


Updated On:


CA Single Sign-On



One of the biggest challenges while implementing CA SSO is how to issue initial passwords for new users, e.g. while newly implementing the product.

Out of the box, CA SSO Client is prompting new users with the Learn Mode dialog to receive knowledge about application passwords for the available applications.

However, this may not be acceptable in certain environments as it is desired to fully automate the rollout.

This document is describing the approach to first reset the application password and then set a new random password upon next login.


In order to meet your requirement that user is unaware of the set password you will need to have password generator.

The SSO Server's password generator will only trigger upon meeting password policy "password interval" criteria.
There is no way to trigger it before, hence you need a second pwd-generator which you can realise in your tcl-script.
This SSO Client created password can then be uploaded to the SSO Server.

Typical requirement is to set an initial application password, e.g.

  • Define a new user with an initial dummy application password
    (the dummy pwd is to avoid the SSO Server side Learn Mode and provide the initial login to the actual application, which then will issue a pwd-change challenge).

  • Define your pwd-policy according to your needs.

  • First time you run the script finds the initial dummy password. It then is generating the random password and finally is forwarding it to the SSO Server
    (to determine if the script is running the very first time you can maybe put
    if { (string compare $_PASSWORD dummy ) == 0} {genRNDpwd }
  • This is the procedure that generates a random 7 characters password and stores it on variable "RNDpwd". (you should not find it difficult to adjust it to your needs)
    proc genRNDpwd { } {set a1 { A B C D E F G H I J K L M N O P Q R S T U V W X Y Z 0 1 2 3 4 5 6 7 8 9 };set a [ expr int (rand() *35) ]set b1 [lindex $a1 $a]set a [ expr int (rand() *35) ]set b2 [lindex $a1 $a]set a [ expr int (rand() *35) ]set b3 [lindex $a1 $a]set a [ expr int (rand() *35) ]set b4 [lindex $a1 $a]set a [ expr int (rand() *35) ]set b5 [lindex $a1 $a]set a [ expr int (rand() *35) ]set b6 [lindex $a1 $a]set a [ expr int (rand() *35) ]set b7 [lindex $a1 $a]set RNDpwd "$b1$b2$b3$b4$b5$b6$b7"return $RNDpwd
  • To upload the new password to the SSO Server
    sso chlogin -loginname $_LOGINNAME -password $RNDpwd -appname $_APPNAMEsso notify -event pwdchange -status 0 -appname $_APPNAME

Please note that all these script snippets and scripting advice in general is not covered by CA Support Services.


Release: SOASA199000-12.1-SOA Security Manager-w/ SOA Agent Addl CPUs