Recently Solaris 11 and Redhat 6 change the default password hashing algorism from MD5 to SHA 256 and SHA 512.
For supporting this algorism, IM changes the functionality like:
IM agent r12.6 SP3 and above will support SHA 256 and SHA 512 through IM agentless way, not IM agent way.
Unfortunately customer is using IM agent way very well to date at all the platforms except Solaris 11 and Redhat 6.
Many customer is thinking this sort of communication between IM server and IM agent is the standard method for IM implementation.
According to a new platform like Solaris 11 and Redhat are showing in the market, customer should change the standard method from IM agent way to IM agentless in order to get SHA 256 and SHA 512’ support.
Most of vendors are using agent-less approach for OS. It is customer’s trend but there are a lot customers and existing CA IDM customers want agent based OS provisioning.
Below is the feedback from customer:
- In agent-less approach, provisioning server should have root or privilege password. It should be maintained carefully. There is no way to auto-detect or recover if root user change own password separately.
- Customer has PIM solution to change root password. (CA, CyberArk, Dell) Those PIM solution does not have user provisioning. CA IDM is used for user provisioning. In Agent-less method, CA IDM cannot get updated password from PIM solution automatically.
- Agent based solution is more flexible when using exit() together. It can put additional action when changing password, creating user and deleting user.
We have been using this stories to many IDM customers and they are expanding their implementation coverage in OS. If we cannot cover Solaris 11 and Redhat 6, it could be a weakness on IM product.