Database Authentication for Customers

Database authentication is activated by setting the system property cmas-core-security, contact.authentication.methodto DATABASE (default value).

There are two steps which you need to perform to set up database authentication for customers using CM/Track:

• Create customer fields for the user name (login) and password in the Admin Tool (see Defining the Customer Fields for CM/Track Login and Password)
• Enter the user name and password for the actual customers in the Web Client (see Granting Access to CM/Track for Customers)

When database authentication is used, you can allow your customers to change their own passwords, see Configuring CM/Track for Password Reset by Customers.

Defining the Customer Fields for CM/Track Login and Password

The fields for login and password for a customer are regular customer fields at the contact level. Please see section Setting Up the Customer Data Model for an introduction to customer field management and GUI configuration for customer data.

Edit the customer data model in the Admin Tool (navigation group Customers, navigation item Data Models). If there are two levels you need to edit the fields of the contact level. Create the following two fields:

• Create a field for the login with the annotation username = true.

  Assigning the annotation username to a customer field is only possible, if there is no previous assignment of this annotation. Otherwise it will be prohibited. When assigning it, a warning dialog must be confirmed before it is executed, since it can be a longer running operation. Unassigning the annotation must be confirmed as well, because it cannot be undone: Unassignment deletes the user name values unrecoverably from internal storage.

• Create a field for the password with the annotation password = true. The annotation text-type = password guarantees that only stars/dots are displayed in the Web Client, not the clear text password.

  The annotation password requires confirmation when assigned.

  In case of an update from CM versions lower than 6.11 to 6.11 and up: When this annotation is set, the system reads the plain text passwords from the original field values, encrypts them and saves the encrypted values to the internal storage. Then the original field values are deleted and thus the plain text value cannot be recovered anymore.

  When trying to unassign the password annotation the operation must be confirmed as well, since the encrypted passwords are deleted from the internal storage. After the annotation unassignment the password information is completely lost and cannot be recovered at all.

When a scenario from a CM version lower than 6.11 is imported into a system with CM 6.11 (or higher), a transformation of user names and passwords is performed automatically. This is described in detail in section Transformation of User Name and Password Fields During Import into CM 6.11 .

Granting Access to CM/Track for Customers

The engineer working with the Web Client can then assign a user name, initial password, and a CM/Track user profile to every customer who should have access to the portal CM/Track. The user name has to be unique. This is checked by the system. You cannot enter a name a second time if this has already been assigned to another customer. The password is stored as encrypted string in the CM database. This means that an engineer can set a new password, e.g., when a customer calls and asks for this, but it is never possible to read the password from the system.

You, as an administrator, can define if the CM/Track user names should be case sensitive. Use the CM system property cmas-core-security, policy.track.username.case.sensitive. This is a boolean variable. When it is set to true, the CM/Track user names are case sensitive. Please make sure that the database collation which is in use supports case sensitive strings!

The following example shows the customer data of an example contact in the ConSol CM Web Client. You reach this screen by opening a contact data set in edit mode.

Figure 436: ConSol CM Web Client - Contact page: CM/Track user data

Configuring CM/Track for Password Reset by Customers

CM/Track can be configured to offer a hyperlink for customers where a customer can reset his password. This is based on the template track-password-reset-template. Please refer to section Password Reset Template for Customers Using CM/Track for a detailed explanation. The password reset in CM/Track is only possible when the DATABASE mode is used. It is not possible when LDAP authentication is in operation. See section Authentication Methods for Customers in CM/Track for the portal for an explanation of all possible authentication modes.

Please note that the Fromaddress of the email which is sent to a customer who has requested a new password can be set using the CM system property cmas-core-security, password.reset.mail.from.