Symantec Encryption Management Server 3.4.2 and above include additional password complexity/requirements.  This article will go over the details on how this functionality works.

Releases of Encryption Management Server prior to 3.4.2 allow password complexity to be enabled using the steps in article 171746 but passwords do not expire.

Encryption Management Server 3.4.2 and above include additional password management features including password expiry. By default, administrator passwords expire every 60 days. 

See the Symantec Encryption Management Server Administrator's Guide for full details but a summary of the new features are:

1. Aging (enable-password-aging) - Whether to enable password aging. This is enabled by default.
2. Minimum age (password-min-age) - How long in days administrators must use a password before they can change it. The default value is 1, the minimum is 0, the maximum is 60.
3. Maximum age (password-max-age) - How long in days before administrators are forced to change their passwords. The default value is 60, the minimum is 0, the maximum is 60.
4. Advance warning (advance-warning-period) - How long in days administrators are warned that their passwords are about to expire. The default value is 15, the minimum is 0, the maximum is 60.
5. History (number-of-passwords-to-remember) - Whether to enable password history. This is enabled by default.
6. Passwords to remember - the number of previous passwords to store. The default is 5, the minimum is 0, the maximum is 30. If this is set to 0 then no passwords will be stored and all previous passwords are deleted.
7. Complexity (enable-complex-password) - Whether to enable password complexity. This is enabled by default. When enabled, administrator passwords must contain the following. Note that no further customization of these settings is available:
   • At least one digit.
   • At least one upper case letter.
   • At least one lower case letter.
   • At least one special character.
8. Minimum length (password-min-length) - The minimum number of characters in the password. The default is 8, the minimum is 8, the maximum is 128.
9. CAPTCHA Enforcement (attempts-without-captcha) - This is the number of failed attempts made before the captcha requirement appears.  
   -1 or 0 will always have captcha enabled.   If you set to 1, then after 1 failed attempt, you will be prompted to enter captcha.  Setting this to 10 will cause captcha to appear after 10 failed attempts.

To modify the above settings, connect to Encryption Management Server using ssh and edit the /etc/ovid/prefs.xml file. For instructions on connecting using ssh, please see article 153592. Alternatively, please contact Symantec Technical Support for assistance. The default settings are:

    <omc>
        <enable-password-aging>true</enable-password-aging>
        <password-min-age>1</password-min-age>
        <password-max-age>60</password-max-age>
        <advance-warning-period>15</advance-warning-period>
        <enable-password-history>true</enable-password-history>
        <number-of-passwords-to-remember>5</number-of-passwords-to-remember>
        <enable-complex-password>true</enable-complex-password>
        <password-min-length>8</password-min-length>
        <attempts-without-captcha>10</attempts-without-captcha>


    </omc>

Once you make any of the above changes, restart pgpsysconf:

pgpsysconf --restart pgpuniversal

Changes to the /etc/ovid/prefs.xml file usually replicate automatically to other cluster members but if you wish to force replication, run the following command:

pgprepctl file /etc/ovid/prefs.xml

Important Note: Make a backup of the /etc/ovid/prefs.xml file before making any changes and if there are any doubts in configuring the above, please contact Symantec Encryption Support for assistance. 

216163 - Reset Password for Administrators on Symantec Encryption Management Server (PGP Server)

EPG-23736
EPG-23711
EPG-23710
ISFR-1795/EPG-23755
ISFR-2458/EPG-29427