Hello I am trying to reset password for users whose hosted itim account becomes inactive after answering security questions incorrectly. I am making api calls of WSAccountService.restoreAccount() to make Hosted itim account active again and also passing the password to be used during restore. The issue is when the user tries to login they get incorrect username/password error. I want to understand the difference between the password reset using restore Account method call and password change method call of WSPasswordService

------------------------------
Shivam Singh
------------------------------

I think your problem is that ITIM accounts are not completely like other accounts in ISIM. All other services has an associated serviceProfile entry in the ldap where the account restore behavior is determined (see e.g. https://www.ibm.com/docs/en/sia?topic=ca-managing-passwords-when-you-restore-accounts-6) - there is no such entry for ITIM services. I believe (and I am not 100% sure) that this means that you cannot supply a password to the restore of an ITIM account - and you will probably also need to perform a password reset to set a know password.
I am wondering why you are want to do this from remote - IMHO it would be much better/faster/easier to do this in a custom operational systemuser workflow and then have LCR to trigger the relevant accounts (that of course means that these can be found via ldap filters - else you do a global operation that finds the accounts and calls the relevant systemuser operation).
A last comment - I still wonder why corporations still thinks Challenge/Response is a relevant security measure - one thing is that a mature product like ISIM implements it - but it does not mean it is sound security.... I personally would recommend not to use it.

HTH

------------------------------
Franz Wolfhagen
IAM Technical Architect for Europe - Certified Consulting IT Specialist
IBM Security Expert Labs
------------------------------

Original Message:
Sent: Wed May 12, 2021 05:34 AM
From: Shivam Singh
Subject: Password reset for Hosted ITIM Account

Hello I am trying to reset password for users whose hosted itim account becomes inactive after answering security questions incorrectly. I am making api calls of WSAccountService.restoreAccount() to make Hosted itim account active again and also passing the password to be used during restore. The issue is when the user tries to login they get incorrect username/password error. I want to understand the difference between the password reset using restore Account method call and password change method call of WSPasswordService

------------------------------
Shivam Singh
------------------------------

Hello Franz, thank you for your reply.

I am not familiar with ISIM and it is totally new for me. I need to make hosted ITIM account active so that password reset succeeds, the operation however requires a password to be passed according to wsdl file.

<element name="restoreAccount">
    <complexType>
     <sequence>
      <element name="session" type="tns1:WSSession"/>
      <element name="accountDN" type="xsd:string"/>
      <element name="newPassword" type="xsd:string"/>
      <element name="date" nillable="true" minOccurs="0" type="xsd:dateTime"/>
     </sequence>
    </complexType>
   </element>​

as the password attribute is not nillable so i am forced to pass a value to make it work\, it seems to make the account active and the code flow continues to reset password for other accounts of user, but the login doesnt work with new password.

------------------------------
Shivam Singh
------------------------------

Original Message:
Sent: Thu May 13, 2021 08:47 AM
From: Franz Wolfhagen
Subject: Password reset for Hosted ITIM Account

I think your problem is that ITIM accounts are not completely like other accounts in ISIM. All other services has an associated serviceProfile entry in the ldap where the account restore behavior is determined (see e.g. https://www.ibm.com/docs/en/sia?topic=ca-managing-passwords-when-you-restore-accounts-6) - there is no such entry for ITIM services. I believe (and I am not 100% sure) that this means that you cannot supply a password to the restore of an ITIM account - and you will probably also need to perform a password reset to set a know password.
I am wondering why you are want to do this from remote - IMHO it would be much better/faster/easier to do this in a custom operational systemuser workflow and then have LCR to trigger the relevant accounts (that of course means that these can be found via ldap filters - else you do a global operation that finds the accounts and calls the relevant systemuser operation).
A last comment - I still wonder why corporations still thinks Challenge/Response is a relevant security measure - one thing is that a mature product like ISIM implements it - but it does not mean it is sound security.... I personally would recommend not to use it.

HTH

------------------------------
Franz Wolfhagen
IAM Technical Architect for Europe - Certified Consulting IT Specialist
IBM Security Expert Labs

Original Message:
Sent: Wed May 12, 2021 05:34 AM
From: Shivam Singh
Subject: Password reset for Hosted ITIM Account

Hello I am trying to reset password for users whose hosted itim account becomes inactive after answering security questions incorrectly. I am making api calls of WSAccountService.restoreAccount() to make Hosted itim account active again and also passing the password to be used during restore. The issue is when the user tries to login they get incorrect username/password error. I want to understand the difference between the password reset using restore Account method call and password change method call of WSPasswordService

------------------------------
Shivam Singh
------------------------------

Well - I still do not really understand what your usecase is - but anyhow - I believe that restore account should be possible (for services where that is possible) without sending a new password.

I suggest you open a case and have this looked at by our friendly support team.

------------------------------
Franz Wolfhagen
IAM Technical Architect for Europe - Certified Consulting IT Specialist
IBM Security Expert Labs
------------------------------

Original Message:
Sent: Wed May 26, 2021 01:41 PM
From: Shivam Singh
Subject: Password reset for Hosted ITIM Account

Hello Franz, thank you for your reply.

I am not familiar with ISIM and it is totally new for me. I need to make hosted ITIM account active so that password reset succeeds, the operation however requires a password to be passed according to wsdl file.

<element name="restoreAccount">    <complexType>     <sequence>      <element name="session" type="tns1:WSSession"/>      <element name="accountDN" type="xsd:string"/>      <element name="newPassword" type="xsd:string"/>      <element name="date" nillable="true" minOccurs="0" type="xsd:dateTime"/>     </sequence>    </complexType>   </element>​

as the password attribute is not nillable so i am forced to pass a value to make it work\, it seems to make the account active and the code flow continues to reset password for other accounts of user, but the login doesnt work with new password.

------------------------------
Shivam Singh

Original Message:
Sent: Thu May 13, 2021 08:47 AM
From: Franz Wolfhagen
Subject: Password reset for Hosted ITIM Account

I think your problem is that ITIM accounts are not completely like other accounts in ISIM. All other services has an associated serviceProfile entry in the ldap where the account restore behavior is determined (see e.g. https://www.ibm.com/docs/en/sia?topic=ca-managing-passwords-when-you-restore-accounts-6) - there is no such entry for ITIM services. I believe (and I am not 100% sure) that this means that you cannot supply a password to the restore of an ITIM account - and you will probably also need to perform a password reset to set a know password.
I am wondering why you are want to do this from remote - IMHO it would be much better/faster/easier to do this in a custom operational systemuser workflow and then have LCR to trigger the relevant accounts (that of course means that these can be found via ldap filters - else you do a global operation that finds the accounts and calls the relevant systemuser operation).
A last comment - I still wonder why corporations still thinks Challenge/Response is a relevant security measure - one thing is that a mature product like ISIM implements it - but it does not mean it is sound security.... I personally would recommend not to use it.

HTH

------------------------------
Franz Wolfhagen
IAM Technical Architect for Europe - Certified Consulting IT Specialist
IBM Security Expert Labs

Original Message:
Sent: Wed May 12, 2021 05:34 AM
From: Shivam Singh
Subject: Password reset for Hosted ITIM Account

Hello I am trying to reset password for users whose hosted itim account becomes inactive after answering security questions incorrectly. I am making api calls of WSAccountService.restoreAccount() to make Hosted itim account active again and also passing the password to be used during restore. The issue is when the user tries to login they get incorrect username/password error. I want to understand the difference between the password reset using restore Account method call and password change method call of WSPasswordService

------------------------------
Shivam Singh
------------------------------