Hi Nikunj,
Q: So, do you mean that I have to have one reconcile account for every endpoint, which is (obviously) capable of changing the password.
A: The best way to put this is that you would need one reconcile account for every "authentication source". Sources like AD would only need one account to use across all connected endpoints, while sources like local authentication on Linux would require one account per endpoint since they are not linked.
Q: But for Linux endpoints, do I need to have separate accounts for each endpoint?
A: In general for Linux endpoints you would likely need an individual account for each endpoint. It is possible however that if you use other software, like CA Unix Authentication Broker, that your Linux servers could be set up to use a centralized authentication method in which case you could use a shared admin.
Q: Also, please let me know when does the automatic verification of accounts happens?
A: There are a few times when the account status may be verified:
- When you first create it
- When you manually click the verify button
- When a scheduled job is run to "Verify account Passwords"(as suggested above)
- Whenever the password is changed by PAM (including both manual & automated changes)
Statement: I have set the policy to change the password on view. And password change is happening fine. Now, when I check the account in PAM, I can see that it is not verified. When I manually verify it, it got verified.
Response: The account should have been verified when the password was changed. You could look into what happened yourself by increasing the Tomcat log level to 'config', reproducing this issue and then viewing the recent entries in the Tomcat log. This should explain what happened during the credential rotation & will show errors if there were any. If you keep seeing this and are unable to figure out what is going on on your own, I would suggest opening a support case to have this looked into.
Regards,
Christian Lutz
Support Engineer
CA Technologies - North America