How-to: Set Up Password Expiration in PAM

Document ID : KB000124013
Last Modified Date : 28/12/2018
Show Technical Document Details
Introduction:
In many environments passwords are set to expire after a period of time, usually for security purposes. For example; Active Directory includes the GPO option "Maximum password age". When a password expires it can no longer be used by CA PAM since it will fail to authenticate. To ensure this never happens PAM has a Password Expiration feature that includes an option to force rotate passwords when they expire.
Instructions:
There are 2 main settings that need to be configured to enable password expiration. The first part is to set the account up to have a maximum password age (expiration time). This will only enable the date tracking feature and is not enough to make the passwords rotate automatically after the expiration. The second part is to enable the automatic rotation once the passwords expire.

Part 1- Set account(s) to track password age/expiration:
  1. Navigate to: Credentials > Manage Targets > Password Composition Policies
  2. Create a new policy, or open an existing one for modification
  3. Enable the checkbox labeled "Maximum Password Age Enforcement"
  4. Choose a Maximum Password Age in the box labeled "Maximum Password Age Days"
    • Tip: To ensure the password never gets into a bad state it is a best practice to set PAMs expiration age to be at least 1 day shorter than the authentication source.
  5. Optionally configure/confirm other Password Composition options
  6. Click OK at the bottom of the form to save the policy
  7. Set this Password Composition Policy on the Target Application(s) that the required Target Account(s) belong to

Part 2 - Enable Automatic Update of Expired Passwords:
  1. Navigate to: Settings > Credential Manager > General Settings (tab)
  2. Enable the checkbox labeled "Automatically Update Expired Passwords"
  3. Click Save at the bottom of the screen


FAQ:

How does the automatic rotation work?
Once the password has expired it will be rotated automatically during the next cron job. A job is run once per day to rotate all expired passwords.

How can the current expiration status of an account be checked?
To check the status simply navigate to Credentials > Manage Targets > Accounts, then open the account and change to the Password tab. This will show the account information including expiration information like the examples below:
expired account example

The account above is already expired, here are some examples of the other statuses that may be seen:
Account expiring today
account expiring later
Additional Information:
Tip: For an even safer configuration it is possible to set PAM to use an administrative account to rotate passwords instead of the account rotating its own password. This way in case there ever is a problem with the accounts own password the rotation should still work as long as the administrative account is still properly working.

Related Documentation:
Creating Password Composition Policies (& enabling password expiration):
https://docops.ca.com/ca-privileged-access-manager/3-2-3/EN/implementing/protect-privileged-account-credentials/set-up-password-composition-and-view-policies/construct-password-composition-policies/create-a-password-composition-policy-with-the-ui

Use an Alternate Account to Change Passwords:
https://docops.ca.com/ca-privileged-access-manager/3-2-3/EN/implementing/protect-privileged-account-credentials/add-target-accounts-to-target-applications/use-an-alternate-account-to-change-passwords-optional