Connector GuidesConnectors GuideConnecting to EndpointsCA Top Secret ConnectorConnector-Specific Features › Proxy Configuration

Previous Topic: TSS Program Exits

Next Topic: Proxy Administration Support
Proxy Configuration

The TSS Endpoint page contains a section where clients can configure a Proxy administrative ID and password to be used for user password changes from the SAWI interface. When configured, this ID and password is used to issue the password change request for the SAWI user to change their password. This is helpful and needed if a SAWI user cannot supply a password (for example, the password is forgotten) or their password is expired on Top Secret and they cannot be authenticated. The following is an explanation of the algorithm followed by the TSS Agent when a password change is instantiated through the SAWI using a proxy administrator:

  1. Under the authority of the proxy ID, an administrative reset is done to the SAWI users' password to an eight digit random number. This is needed in order to enforce password syntax rules specified by the NEWPW Control Option. The password change must occur under authority of the SAWI user. Since the SAWI user can instantiate a password change without supplying their current password, this administrative reset is necessary to set the password to a known value for the TSS Agent. This password change is immediately expired, so in the event of any kind of failure, this ID cannot access the system.
  2. After the administrative reset, the TSS Agent can then issue a password change under the authority of the SAWI user, using the random number password to authenticate. This password change request is now subject to password syntax rules specified by the NEWPW Control Option, and the SAWI user sees an appropriate message if the new password does not comply.

When using a proxy administrative ID, standard TSS security rules apply (for example, scoping) and password syntax checking specified in the NEWPW Control Option is enforced. However, the NEWPW control Option Mindays value for the user is not enforced since the administrative reset password change is done through an administrator and is set to immediately expire. If the administrative password reset was not set to immediately expire, the Mindays Control Option would be enforced on the subsequent password change through the Self-Service user, and would likely fail.

Note: The check boxes on the Endpoints Setting tab are for legacy purposes only. You can perform proxy configuration and administrative support from the Self-Service interface.