Q: Compliance Monitor has some product user profiles that are set to never expire. Can they be changed to meet our password requirements?

A: Compliance Monitor has four profiles: PLCMOWN is the object owner for the Endpoint; PLCM2OWN is the object owner for the Consolidator; PLCM2ADM is the profile used to sign on to the product for the first time; PLCMADM is used for communication between the Consolidator and the Endpoint.

The object owner profiles are set to *DISABLED and have the suffix “OWN” to denote their use, so they don’t attract attention. However, PLCM2ADM and PLCMADM might.

PLCM2ADM can be set to *DISABLED if you sign on to the product under an alternate authorized profile. If you set the password expiration interval at *SYSVAL and the password expires, you must use the command PTCMT2/CHGPCM2PWD to reset it. This encrypts the password in a special password store.

PLCMADM must be set to *ENABLED. We recommend that you leave the password expiration interval set to *NOMAX because if you have multiple Endpoints and you change the password on one Endpoint, you must change it on all your Endpoints to match. Plus, each Compliance Monitor user must enter the password in each PC GUI installation, so that could be a problem for large deployments. We recommend leaving PLCMADM as is—the password is securely maintained in the triple-DES encrypted password store on the Consolidator.

Paul “Paulie” Culin is a Senior Security Engineer with the PowerTech Group. As a product expert, his role at PowerTech includes managing client training and implementation services, as well as hosting security presentations, Webinars, and product demonstrations. Paul has thirteen years of experience in the security field.

This entry was posted on Tuesday, August 3rd, 2010 at 4:47 pm and is filed under Q and A. You can follow any responses to this entry through the RSS 2.0 feed. Responses are currently closed, but you can trackback from your own site.