hdinterface

P-Synch

External Notification Script Facility

Software revision: 6.2Last changed: May 28, 2004

http://mtechIT.com/

P-Synch External Notification Script Facility

Contents

1 Introduction 1

2 Interface architecture 22.1 Example interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

2.1.1 Business requirement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32.1.2 Interface details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

2.2 Implementing business logic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52.2.1 Setting exit traps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52.2.2 Script files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

2.3 System variables that can trigger notification . . . . . . . . . . . . . . . . . . . . . . 6

c© 2004 M-Tech Information Technology, Inc. i

http://mtechIT.com/


1 Introduction

P-Synch can be interfaced to your help desk system, so that call records (problem tickets) areautomatically generated or updated.

This interface provides two major benefits:

• P-Synch can report it’s actions to the help desk system, providing a uniform method oflogging for different types of incidents, including password problems.

• Support staff need not enter redundant information about calls: once into the help desksystem and again into P-Synch.

A standard facility is used to interface P-Synch to any help desk system, from any vendor. Thisfacility can:

• Exchange data with the help desk system when any of a wide range of events transpireson the P-Synch server. Events include user and administrator authentication, passwordverification or reset, security violations, successful or failed operations, and so on.

• Capture your work flow and business logic with a scripting facility. You can configure thesoftware to execute different actions when different events take place.

• Update information about existing records in your help desk system in real time.

• Create new call records in your help desk system, in real time.

• Send SMTP e-mail.

• Execute programs on the P-Synch server.

The help desk interfaces uses scripts written in the M-Tech Interface Language to define the inter-action between P-Synch and external systems. See “M-Tech Interface Language ” on Page 827in the “P-Synch Installation and Configuration Guide” to learn more about the M-Tech InterfaceLanguage.

The rest of this chapter describes the P-Synch / help desk interface in detail.

c© 2004 M-Tech Information Technology, Inc. 1

http://mtechIT.com/


2 Interface architecture

The architecture of the external help desk system interface is illustrated in Figure 1, on Page 2.

P-Synchuserinterfaceprogram

Password agent

Password agent

Password agent

Notificationprogram

Help deskcall trackingsystem

E-mailsystem

Databaseserver

Scriptfile

API

API

SQLnet,TDS,ODBC

API,Mail GW

SMTP

Standardscripting languagefor all interfaces

WWWserver(IIS)

Target system

Target system

Target system

P-SYNCH SERVER

Managepasswordson targetsystems

Notifyexternalsystemof results

CGI

Figure 1: Help desk interface components

Many event types are available and each one may be used to trigger the same or a differentprogram. For instance, it is possible to populate tickets in one help desk system on some events,and in another help desk system for other events.

The event types that can trigger P-Synch to notify an external system are listed in:

• Table 1, on Page 6: Self-service password changes.

• Table 2, on Page 7: Help desk access.

• Table 3, on Page 8: Transparent synchronization.

• Table 4, on Page 10: Self-service Q&A profile builder.

• Table 5, on Page 11: Self-service registration for synchronization.

• Table 6, on Page 12: Self-service token management.

• Table 7, on Page 13: Self-service alias profile builder.


http://mtechIT.com/


Whenever a defined event type takes place:

1. The P-Synch server checks whether an action has been associated with this event; if so,starts this external program.

2. The external program reads a log that describes everything that has happened so far in thelogin session.

3. The external program reads a script file.

4. The subsection in the script describing the particular event is found.

5. The actions for that subsection are performed.

This includes the ability to search for data in the help desk system, add data to the help desksystem, iterate through the information from the event log, send e-mail messages, and soon.

2.1 Example interface

An example illustrates how the interface works:

2.1.1 Business requirement

When a user attempts to access the self-service password reset facility in P-Synch, and failsto authenticate (for example, by incorrectly answering personal questions), the following eventsshould take place:

1. Search the help desk system for previous failed authentication attempts by the same user.

2. If there is a previous failed attempt, send an e-mail to a security officer, warning that theevent may be an attempted intrusion.

3. Log the current attempt with the relevant information such as the date, time and user ID.

2.1.2 Interface details

This interface is implemented by defining an “exit trap” in P-Synch, for the event type SELF IDEN-TIFY FAILURE. Exit traps are defined by setting a system variable on the P-Synch administrationGUI, where the variable’s value is the name of a program to execute.


http://mtechIT.com/


The exit trap is used to run a standard interface program (for example, Remedy 4.x uses pxrem4.exe,and Peregrine ServiceCenter 3 uses pxper3.exe), which executes the SELF IDENTIFY FAILUREscript procedure.

The procedure is implemented with the following script statements:

global{

$server = "srv.mydomain.com"$username = "person"$password = "mypass"$smtpserver = "mail.mydomain.com"$smtpport = "25"$smtpfromdomain = "mydomain.com"$smtpfromname = "admin"$smtptodomain = "mydomain.com"

}

operation(SELF_IDENTIFY_FAILURE){

// Search for a previous failed attemptsearch "User" "%USERID%" next search_error{

$lastfail = "Previous Failure"}

// Create a string describing this failure$thisfail = "Failed attempt by %USERID% on %CTIME% because %OPERATION%"

if ( $lastfail == "" ){

// First time, just log this onegoto record_entry

}else{

// Security violation!$subject = "Alert! Security violation"$message = "The previous violation was " + $lastfail + "\n"$message += "This violation is " + $thisfail + "\n"mail ("security", $subject, $message)goto record_entry

}

[record_entry]// Record this new violation (an assign works on the current record)assign next assign_error{

"Previous Failure" = $thisfail}


http://mtechIT.com/


// Exit successfullysuccess

[search_error]failure "search failed: " + $error

[assign_error]failure "assign failed: " + $error

}

2.2 Implementing business logic

2.2.1 Setting exit traps

To enable exit traps, you must configure P-Synch as follows.

1. Log into the administration program (/psynch/nph-psa.exe ).

2. Click Configure P-Synch .

3. Click Web modules .

4. Click the web module from which you want to trigger notification.

5. Enable the exit trap variable corresponding to the event that takes place on the P-Synchserver.

6. In the field next to the variable name, type the name of the program with which P-Synch willinterface when the event occurs.

Some events are triggered by services (in particular, by the pushpass synchronization service).To activate these:

1. Log into the administration program (/psynch/nph-psa.exe ).

2. Click Server monitor , then Services .

3. Click Manage next to the service you want to modify.

4. In the appropriate fields, type the name of the notification program in the Program to exe-cute when . . . field.


http://mtechIT.com/


2.2.2 Script files

A script file defines the interaction between P-Synch and the help desk system. A different se-quence of actions may be defined for every type of event.

2.3 System variables that can trigger notification

Table 1: System variables used to launch interface programs from the Self-service password resetmodule (nph-pss.exe)

Variable name Executes a program when...

SELF IDENTIFY START A user attempts to identify himself to the passwordself-reset program.

SELF IDENTIFY SUCCESS A user successfully identifies himself to the passwordself-reset program.

SELF IDENTIFY FAILURE A user fails to identify himself to the passwordself-reset program.

SELF IDENTIFY LOCKOUT Someone entered invalid identification information toomany times, and a user’s account was locked out ofall P-Synch self-service modules.

SELF RESET START An authorized user requests one or more passwordresets on his own account.

SELF RESET SUCCESS P-Synch successfully resets a set of passwords for auser in the self-reset password program.

SELF RESET FAILURE P-Synch fails to reset at least one password for a userin the self-reset password program.

AGENT TIMEOUT A password agent timed out.


http://mtechIT.com/


Modifiedin version6.2.6

Table 2: System variables used to launch interface programs from the P-Synch help desk pass-word reset program


ADMIN ENABLE USER A help-desk operator successfully enables aP-Synch user ID.

ADMIN DISABLE USER A help-desk operator successfully disables aP-Synch user ID.

ADMIN ENABLE SUCCESS A help-desk operator successfully enablesanother help-desk operator’s user ID.

ADMIN DISABLE SUCCESS A help-desk operator successfully disablesanother help-desk operator’s user ID.

ADMIN LOGIN SUCCESS A help-desk operator successfully logs into theP-Synch help desk program.

ADMIN LOGIN FAILURE Someone entered an invalid login ID orpassword into the P-Synch help desk

ADMIN LOGIN LOCKOUT Too many invalid administrator logins havecaused the account to be locked out fromP-Synch.

ADMIN SEARCH SUCCESS A help-desk operator searched for a user anda match was found in the database.

ADMIN SEARCH FAILURE A help-desk operator searched for a user andno match was found in the database.

ADMIN RESET START A help-desk operator requested a set ofpassword resets for a user.

ADMIN RESET SUCCESS The P-Synch help desk program successfullycompleted a set of password resets.

ADMIN RESET FAILURE The P-Synch help desk program completed aset of password resets, with at least one failure.

ADMIN AUTHUSR SUCCESS A help-desk operator correctly answeredauthentication questions on behalf of a caller.

ADMIN AUTHUSR FAILURE A help-desk operator failed to correctly answerauthentication questions on behalf of a caller.

ADMIN CGIPLUGIN RUN A help-desk operator activated a plug-inmodule.See the complete Installation Guide forinformation about configuring such as plug-in.

continued on next page . . .


http://mtechIT.com/


. . . continued from previous pageVariable name Executes a program when...

ADMIN DELALIAS SUCCESS A help-desk operator deleted a user’s alternatelogin ID.

ADMIN DELALIAS FAILURE P-Synch failed to delete a login ID (technical oraccess rights problem).

ADMIN DUPLICATE ALIAS A help-desk operator tried to add an alternatelogin ID to a user, but that login ID is alreadyassigned, so the update failed.

ADMIN UPDALIAS SUCCESS A help-desk operator updated an existingalternate login ID.

ADMIN UPDALIAS FAILURE P-Synch failed to update an existing alternatelogin ID.

AGENT TIMEOUT A password agent timed out.

Table 3: System variables used to launch interface programs from the P-Synch transparent pass-word synchronization program


TRANSPARENT QUEUE A new password was intercepted on a triggersystem and queued for synchronization on theP-Synch server.

TRANSPARENT SINGLE SUCCESS An individual password was synchronized for auser by the P-Synch interceptor service.

TRANSPARENT SINGLE FAILURE The P-Synch intercepter service attempted tosynchronize a single password for a user, andfailed after the specified sequence of retries.

TRANSPARENT GROUP SUCCESS Every password was synchronized for a userby the P-Synch interceptor service.

TRANSPARENT GROUP FAILURE The P-Synch interceptor service attempted tosynchronize a group of passwords for a user,and failed on at least one of the passwordsafter the specified sequence of retries.

PP STRENGTH FAILED The P-Synch interceptor service rejected auser’s password, because it failed at least onepassword policy rule. This exit point is usefulfor automatically sending the user a reminderdescribing the password policy.



http://mtechIT.com/



PP DISABLE DIFFPW Transparent synchronization will not follow atrigger event received earlier. The most recenttrigger event sets the same user’s password toa different value than the event indicated.

PP CHECK FINDUSER FAIL The P-Synch intercepter service attempted tocheck a password against password strengthrules, and did not find the user in the P-Synchuser table.

PP CHECKNCHANGE FINDUSER FAIL The P-Synch intercepter service attempted tocheck a password against password strengthrules and change it, and did not find the user inthe P-Synch user table.


http://mtechIT.com/


Table 4: System variables used to launch interface programs from the P-Synch self-service ques-tion and answer profile builder.


PSQ DONE A user successfully completes the minimumnumber of questions and answers as specifiedfor each question set.

PSQ NOT DONE A user fails to complete the minimum numberof questions and answers as specified for eachquestion set.

UQA LOGIN SUCCESS A user successfully identifies himself to theself-service Q&A profile builder.

UQA LOGIN FAILURE A user fails to identify himself to theself-service Q&A profile builder.

UQA LOGIN LOCKOUT Someone entered invalid identificationinformation too many times, and a user’saccount was locked out of all P-Synchself-service modules.

UQA ADD SUCCESS The user defined one or more new question /answer pairs, then submitted the changes forthe question set.

UQA ADD FAILURE The user tried to add one or more newquestion / answer pairs, but failed for somereason.

UQA UPDATE SUCCESS The user changed one or more existingquestion / answer pairs, then submitted thechanges for the question set.

UQA UPDATE FAILURE The user tried to changed one or more existingquestion / answer pairs, but failed for somereason.

UQA DELETE SUCCESS The user deleted one or more existingquestion / answer pairs, then submitted thechanges for the question set.

UQA DELETE FAILURE The user tried to delete one or more existingquestion / answer pairs, but failed for somereason.

ADMIN ADDQA SUCCESS A help-desk user defined one or more newquestion / answer pairs for a user, thensubmitted the changes for the question set.



http://mtechIT.com/



ADMIN ADDQA FAILURE A help-desk user tried to add one or more newquestion / answer pairs for a user, but failed forsome reason.

ADMIN UPDATEQA SUCCESS A help-desk user changed one or moreexisting question / answer pairs for a user, thensubmitted the changes for the question set.

ADMIN UPDATEQA FAILURE A help-desk user tried to changed one or moreexisting question / answer pairs for a user, butfailed for some reason.

ADMIN DELETEQA SUCCESS A help-desk user deleted one or more existingquestion / answer pairs for a user, thensubmitted the changes for the question set.

ADMIN DELETEQA FAILURE A help-desk user tried to delete one or moreexisting question / answer pairs for a user, butfailed for some reason.

Table 5: System variables used to launch interface programs from the P-Synch web-based regis-tration facility.


REG IDENTIFY SUCCESS A user successfully identifies himself to theweb-based registration facility.

REG IDENTIFY FAILURE A user fails to identify himself to the web-basedregistration facility.

REG IDENTIFY LOCKOUT Someone entered invalid identificationinformation too many times, and a user’saccount was locked out of all P-Synchself-service modules.

REG REGISTRATION SUCCESS The user registered for transparentsynchronization.

REG REGISTRATION FAILURE The user tried to register for transparentsynchronization, but failed for some reason.

REG CANCELLATION SUCCESS The user disabled transparent synchronization.REG CANCELLATION FAILURE P-Synch failed to disable synchronization for

the user.


http://mtechIT.com/


Table 6: System variables used to launch interface programs from the P-Synch self-service Se-curID token administration program.


PIN IDENTIFY SUCCESS A user successfully identifies himself to theself-service SecurID token administrationprogram.

PIN IDENTIFY FAILURE A user fails to identify himself to theself-service SecurID token administrationprogram.

PIN IDENTIFY LOCKOUT Someone entered invalid identificationinformation too many times, and a user’saccount was locked out of all P-Synchself-service modules.

PIN ENABLE SUCCESS The user successfully (re)enabled his SecurIDtoken.

PIN ENABLE FAILURE The user tried to (re)enable his token, butfailed for some reason.

PIN DISABLE SUCCESS The user successfully disabled his SecurIDtoken.

PIN DISABLE FAILURE The user tried to disable his token, but failedfor some reason.

PIN EMERGENCYON SUCCESS The user successfully set his token toemergency access mode, and received someemergency access numbers.

PIN EMERGENCYON FAILURE The user failed to activate emergency accessmode.

PIN EMERGENCYOFF SUCCESS The user disabled emergency access mode forhis token.

PIN EMERGENCYOFF FAILURE The user failed to disable emergency accessmode for his token.

PIN CLEARPIN SUCCESS The user cleared the PIN associated with hisSecurID token on the ACE database.

PIN CLEARPIN FAILURE The user failed to clear the PIN associated withhis SecurID token on the ACE database.

PIN SETPIN SUCCESS The user set a new PIN for his SecurID tokenon the ACE database.

PIN SETPIN FAILURE The user failed to set a new PIN for hisSecurID token on the ACE database.

PIN RESYNCHRONIZE SUCCESS The user resynchronized his token with theACE server.



http://mtechIT.com/



PIN RESYNCHRONIZE FAILURE The user failed to resynchronize his token withthe ACE server.

Table 7: System variables used to launch interface programs from the P-Synch self-service loginalias profile builder.


PSL DONE A user successfully registers the minimumnumber of accounts specified by the PSL MINACCOUNTS variable.

PSL NOT DONE A user fails to register the minimum number ofaccounts specified by the PSL MINACCOUNTS variable.

UALS IDENTIFY SUCCESS A user successfully identifies himself to theself-service alias profile builder.

UALS IDENTIFY FAILURE A user fails to identify himself to theself-service alias profile builder.

UALS IDENTIFY LOCKOUT Someone entered invalid identificationinformation too many times, and a user’saccount was locked out of all P-Synchself-service modules.

UALS UPDATE SUCCESS The user changed a alternate login ID forhimself on at least one system.

UALS UPDATE FAILURE The user tried to change an existing login ID inhis profile, but failed for some reason.

UALS DELETE SUCCESS The user deleted a login ID for himself onsome system – showing that he now has astandard-name login account on that system.

UALS DELETE FAILURE The user tried to delete a login ID from hisprofile, but failed for some reason.

UALS VERIFY FAILURE The user tried to modify an ID in his profile(add, update or delete), but failed because thepassword he provided for his login on thatsystem could not be verified.

UALS VERIFY LOCKOUT The user gave an invalid password too manytimes for an alternate login ID. He is nowlocked out of P-Synch.



http://mtechIT.com/



UALS DUPLICATE ALIAS The user tried to claim an alternate login IDthat has already been assigned, and so wasdenied the ID.

c© 2004 M-Tech Information Technology, Inc. All rights reserved. M-Tech,P-Synch, ID-Synch are trademarks of M-Tech Information Technology, Inc. in theUnited States, Canada and all other countries. All other marks, symbols andtrademarks are the property of their respective owners.Document date: May 28, 2004Document location: psdocs project

M-Tech Information Technology, Inc.#203, 735-12th Avenue SW, Calgary, AB Canada T2R 1J7

Tel: 1.403.233.0740 Fax: 1.403.233.0725 [email protected]

mtechIT.commtechIT.com

http://mtechIT.com/

hdinterface

Documents