This article will prescribe the processes for the following concepts. Please select a link from the following options. Some links may redirect the reader to a different article.
All the changes noted in the sections below can be made at a privileged user shell on the API Gateway or via the Policy Manager in the Tasks > Manage Account Policies > Manage Password Policies dialogue box.
By default, the API Gateway appliance requires that all credentials for user accounts contain the following:
This behaviour is prescribed using a particular configuration file: /etc/pam.d/system auth. Open this file for editing in order to change the configured password rules. One particular line dictates this behaviour:password requisite pam_cracklib.so retry=3 minlen=9 ucredit=-2 lcredit=-2 dcredit=-2 ocredit=-2
This line can be interpreted as follows:
retry=3 | Allow three attempts to set credentials |
minlen=9 | Minimum number of characters in a password |
ucredit=-2 | Require at least two uppercase characters |
lcredit=-2 | Require at least two lowercase characters |
dcredit=-2 | Require at least two numeric characters |
ocredit=-2 | Require at least two "other" characters |
The configuration of this line can be changed to meet your organizational requirements.
It may be necessary to force certain user accounts to require the credentials to be changed upon the next successful login attempt. For example, the password rules may have changed per the above section but they will not be enforced until the user changes their password again. Should the password rules be changed, the user account should be required to change their credentials to meet the new requirements. To force a user to change their password when logging into the API Gateway appliance, do the following:
Substitute the value “<days>” for number of days from today’s date. You may also substitute the value of “<username>” with the desired user account (such as ssgconfig or root).
It may be necessary to delay the expiration of a user account’s credentials. In order to adjust the number of days remaining for the validity period of a user’s credentials, do the following:
Substitute the value of “<username>” with the desired user account (such as ssgconfig or root).