• Locked Locked
  • Replies 1 reply
  • Subscribers 36 subscribers
  • Views 3727 views
  • Users 0 members are here
Options
Related
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Public Hotfix (SOL213268) - Password Manager Security Enhancements

sebastian.ch
over 7 years ago

Did anyone already implement this Hotfix ?
https://support.quest.com/password-manager/kb/213268

Kindly asking you to share your experience here.

Did the implementation work as expected? Any issues occurred?


How long did it take to migrate the user's Q&A profiles? How many users were migrated? (looking for a time estimate here)

How about your UI customizations? What was kept, what not?

 

Thanks for sharing.

 

  • over 7 years ago
    Unfortunately, the hotfix requires user profile (client-side) upgrade because server-side encryption key is touched (makes sense). It is the same old and very uncomfortable limitation: you need to update all “10-100K” user profiles at once. Though at least you can prepear well to implement it in Production.
    On other hand: is PM Service Account got compromised. Is it a must-hotfix or optional?
     
    Backup.
    Backup PM Servers.
    I strongly recommend to use RMAD to backup user.comment (or whatever used for Q&A by PM) attribute.
    (another option: write your own script: direct dump of binary blob into txt file for all users)
     
    Granular upgrade.
    N/A. Upgrade by chunk of users cannot be controlled on server-side (example: old-server determines the profile is old and redirects to a new-server – that is not possible)
    Idea. Upgrade by region. Upgrade server and user-profile fore EMEA only OU=EMEA with PM01 Sever for EMEA upgraded, while OU=APAC with PM02 for APAC stays old.
     
    Timing.
    Run Migration wizard to update all the user profiles automatically. It depends on many factors: how quickly DC will process LDAP calls from PM server. I have seen performance 1 user profile / 2-5 sec, for example.
     
    PS: maybe it worth to consider involving PSO to help with *upgrade*.