Encryption Management Server administrator passwords do not expire

book

Article ID: 171744

calendar_today

Updated On:

Products

Encryption Management Server Gateway Email Encryption

Issue/Introduction

In releases of Encryption Management Server prior to 3.4.2, administrator passwords do not expire.

Cause

This was by design in releases prior to 3.4.2.

Environment

Encryption Management Server 3.3.2 MP13 and above.

Resolution

Releases of Encryption Management Server prior to 3.4.2 allow password complexity to be enabled using the steps in article 171746 but passwords do not expire.

Encryption Management Server 3.4.2 and above include additional password management features including password expiry. By default, administrator passwords expire every 60 days. 

See the Symantec Encryption Management Server Administrator's Guide for full details but a summary of the new features are:

  1. Aging - Whether to enable password aging. This is enabled by default.
  2. Minimum age - How long in days administrators must use a password before they can change it. The default value is 1, the minimum is 0, the maximum is 60.
  3. Maximum age - How long in days before administrators are forced to change their passwords. The default value is 60, the minimum is 0, the maximum is 60.
  4. Advance warning - How long in days administrators are warned that their passwords are about to expire. The default value is 15, the minimum is 0, the maximum is 60.
  5. History - Whether to enbable password history. This is enabled by default.
  6. Passwords to remember - the number of previous passwords to store. The default is 5, the minimum is 0, the maximum is 30. If this is set to 0 then no passwords will be stored and all previous passwords are deleted.
  7. Complexity - Whether to enable password complexity. This is enabled by default. When enabled, administrator passwords must contain the following. Note that no further customization of these settings is available:
    • At least one digit.
    • At least one upper case letter.
    • At least one lower case letter.
    • At least one special character.
  8. Minimum length - The minimum number of characters in the password. The default is 8, the minimum is 8, the maximum is 128.

To modify the above settings, connect to Encryption Management Server using ssh and edit the /etc/ovid/prefs.xml file. For instructions on connecting using ssh, please see article 153592. Alternatively, please contact Symantec Technical Support for assistance. The default settings are:

    <omc>
        <enable-password-aging>true</enable-password-aging>
        <password-min-age>1</password-min-age>
        <password-max-age>60</password-max-age>
        <advance-warning-period>15</advance-warning-period>
        <enable-password-history>true</enable-password-history>
        <number-of-passwords-to-remember>5</number-of-passwords-to-remember>
        <enable-complex-password>true</enable-complex-password>
        <password-min-length>8</password-min-length>
    </omc>

Changes to the /etc/ovid/prefs.xml file usually replicate automatically to other cluster members but if you wish to force replication, run the following command:

pgprepctl file /etc/ovid/prefs.xml