Skip to content

Basic Configuration

Info

The actions or operations described in this section and are optional or not required. The configuration is usually done once per EPAS MASTER, before deploying the Enforcer on the first target system.

Several options should be set before deploying Enforcer on the target systems. The generic Enforcer behavior can be set up using the Enforcer » Settings page. This sections serves as a reference for potential choices. Additional information is found in the PQENF Operations Manual.

Service settings

The Service Settings section defines the generic configuration of the EPAS Enforcer service running on the EPAS MASTER. The following configuration parameters can be set:

  • Master service enabled: enables the Enforcer service on the EPAS MASTER. It is recommended to have this option enabled on the MASTER, to allow it to fulfill the failover/fallback rule in password change requests.
  • Master service port: defines the port used for the password change requests, from the domain controllers or any other system enrolled in the Enforcer
  • Master revision: read-only value which specified which version of the Enforcer configuration the MASTER runs on. This is the main version of the configuration, which is also replicated on the EPAS AGENTs. Each policy modification, server group modification increments the revision by one.

Other available actions in this area are:

  • DELETE ALL DATA: deletes all Enforcer data, which includes policies, generated keys, dictionaries, log data. Use this function only after deprovisioning the target systems.
  • CLEAR ALL LOGS: the Logs menu contains entries which correspond to failed or succeeded password changes. This function allows deleting the stored data associated with those records. Use only when the Logs database grows considerably in size and / or periodically, to purge log data.
  • RESTART SERVICE: restarts the Enforcer service on the EPAS MASTER. Used for troubleshooting the Enforcer endpoint.

Diagnostic and error logs

The Diagnostic Log window shows information on the Enforcer service, as well as the status of replication and policy synchronization with the AGENT units. It is useful for debugging when EPAS AGENTs become out of sync or down (does not happen in productive instances).

If Error Log is present, it shows any errors or warnings encountered during Enforcer policy replication.

Miscellaneous

The Miscellaneous section allows an EPAS Administrator to:

  • select whether TLSv1.1 TLS ciphers should be enabled for the Enforcer endpoints (default 10443). Deactivate this option only if deploying the Enforcer after release 1.0.42. For Enforcer deployments prior to version 1.0.42, it is recommended to disable this option only after redeploying Enforcer.
  • select whether RC4-SHA TLS ciphers should be enabled for the Enforcer endpoints (default 10443). Activate this option only if deploying the Enforcer on versions of Windows prior to Windows Server 2008 R2.
  • set up Load balancing / SAN hostnames for the certificates used by the EPAS MASTER and EPAS AGENTs when serving Enforcer requests. This is present for environments which make use of external load-balancers for Enforcer functionality (such as SSPR)
  • several Password Quality Analysis (PQA) public page options: PQA / Default allows the Enforcer password check (normally present at the /enforcer.html public endpoint) to be set as default; PQA / Logging enables the logging of PQA checks in the Enforcer » Logs page (enabled by default); PQA / User Data enables the collection of user data via form fields (e.g., username, full name, comment) in the PQA Enforcer check page (enabled by default).