Specialized Administration > Configuring Your Windchill Environment > Configuring Password Management Options > User Password Management Options
  
User Password Management Options
The password management feature allows Windchill users to change their passwords using the Windchill interface. If you are using the Windchill Directory Server for storing Windchill users and groups, and are using HTTP Server and Embedded Servlet Engine as your web server and servlet engine, you can easily configure Windchill to allow users to change their passwords.
* 
To be able to change their passwords, Windchill users must be able to write to the directory server where the user information is stored. If users are stored in your Windchill Directory Server, allowing users to change their passwords is set up by default.
Configuring user password management in an environment that uses Windchill Directory Server, HTTP Server (powered by Apache) and Embedded Servlet Engine (based on Tomcat) consists of completing the following tasks:
Enabling the user interface that allows Windchill users to change their passwords. See the section Enabling the Password Change User Interface.
Setting up a password policy in the Windchill Directory Server. See the section Setting Up a Password Policy.
Deciding whether the defaults initially set for user lockout properties works with your site’s user policies. See the section Deciding on a Password Expiration Notification Process.
Deciding how to notify users when their password will expire. See the section Deciding on a Password Expiration Notification Process.
Customizing Apache login help to provide site-specific information for users. See the section Customizing Apache Login Help Topics.
Read the following sections for information on completing these tasks.
Enabling the Password Change User Interface
By default, the Windchill Directory Server is set up to allow users to modify their own password; however, the Windchill password change interface is not enabled.
Using the xconfmanager utility, you can enable password change by setting the wt.org.services.userPasswordChangeEnabled property value to TRUE.
Following is an example of how the wt.org.services.userPasswordChangeEnabled property is enabled. Enter the xconfmanager command on one line:
xconfmanager -s "wt.org.services.userPasswordChangeEnabled=true"
-t "<Windchill>/codebase/wt.properties" -p
where <Windchill> is the location where Windchill is installed.
* 
After changing the value of the wt.org.services.userPasswordChangeEnabled property, restart the method server to ensure the change becomes effective.
If you have set the wt.org.services.userPasswordChangeEnabled property to true, users can change their password by selecting Quick Links > My Settings > Profile. From the user information page that displays, select Edit Password from the Actions menu to open the Edit Password window.
The user information page is also accessible from the Team page. Display users on the Members table and click the information icon for a user to display the user information page.
Users can click the help icon on the Edit Password window to access information on how to change the password from the Edit Password window. This help can also contain site information about the password requirements you have established. To add your requirements to this help, you can customize the associated help topic. For example, you may want to add that you require that the password be at least five characters and contain at least one integer.
Setting Up a Password Policy
Your site password policy is defined in your LDAP directory server and enforced by that server. In Windchill your password cannot begin or end with a blank space.
The Windchill Directory Server includes a default password policy for all users. Initially, the default password policy does not specify password requirements such as password syntax, length, or expiration. However, you can modify this password policy to specify password requirements using the dsconfig command line utility that is provided with the Windchill Directory Server. The location of command line utilities is dependent on your operating system:
On Windows, they are located in the <WindchillDS>\server\bat directory.
On UNIX, they are located in the <WindchillDS>/server/bin directory.
where <WindchillDS> is the Windchill Directory Server installation directory.
* 
If you store users outside of your Windchill Directory Server (for example, in a corporate directory), set up the password policy in the enterprise LDAP directory that you are using instead of in your Windchill Directory Server.
For information on setting up a password policy in an enterprise directory, see the documentation provided with the directory.
Deciding on a User Lockout Policy
Your site user lockout policy determines how many login attempts can be made before a user is locked out of Windchill and how long the user is locked out. Windchill does not manage user login actions. This policy is defined in your LDAP directory server and enforced by that directory server. For example, if you configure single sign-on (SSO) for Windchill and redirect user authentication to an identity provider in your SSO federation, you will need to set the user lockout policy in the federated identity provider.
By default, the Windchill Directory Server defines properties that set defaults for a lockout failure count and lockout duration. If the defaults are used, end users can see the following behaviors:
If a user makes five contiguous unsuccessful attempts to log in, the account associated with the user name that was used is locked.
If an account is locked, the lock remains in effect for 15 minutes. After 15 minutes, the account is automatically unlocked; no administrative action is required.
If your site is using the HTTP Server web server, users can experience a slightly different lockout scenario. This is because HTTP Server caches successful login credentials for a predetermined length of time. This login cache comes into play in the following scenario:
1. Assume a user has logged in successfully and then closes the browser.
2. Within the time in which the successful login is cached, the user reopens the browser and attempts to login but is unsuccessful five consecutive times.
3. On the sixth login try, the user enters the correct credentials to log in and the login is successful even though the number of attempts was greater than five.
The user’s login is successful on the sixth try because the user credentials entered matched the credentials that are cached. This scenario only works because the correct credentials were entered while the successful login credentials were cached. If the user had reopened the browser after the HTTP Server cache was cleared, then the user account would have been locked after the fifth unsuccessful login attempt.
You can change the defaults that are set for lockout failure count and lockout duration by modifying Windchill Directory Server default password policy.
Deciding on a Password Expiration Notification Process
* 
Windchill does not send users any notification that their password is about to expire.
You must manage the user notification of password expirations through your site policies outside of Windchill. However, Windchill provides the following Apache error pages that can be customized with site specific information:
When HTTP Server returns a 500 error (indicating that an internal server error has occurred), the apachelogin/apacheerror.html displays. HTTP Server returns this error page when a user is locked out of the Windchill Directory Server. This page is returned whenever an unexpected condition prevents HTTP Server from completing an HTTP request. Therefore, you should keep the text on the page very general.
When HTTP Server returns a 401 error (indicating that the login authorization has failed), the apachelogin/apachelogin.html displays.
PTC supplies English and Japanese versions of these files.
Customizing Apache Login Help Topics
You can customize the content of the Apache login help topics to ensure that users have access to your site information. The help for the Apache 500 and 401 errors is located in the <Windchill>/codebase/webserver/apache/error directory, where <Windchill> is the location where Windchill is installed.
There are only two files in this directory that are accessed by HTTP Server and follow the Apache conventions for online help. These files end in an extension that indicates the content language of the file. PTC supplies only English and Japanese versions of the files. The .en extension is for English and .ja is for Japanese.
The following lists the English files:
apacheerror.html.en -- internal server error information to display when the Apache error number is 500.
apachelogin.html.en -- login authorization information to display when the Apache error number is 401.
You can modify the content of these files using a standard HTML or text editor.