Managing user accounts on the CA API Gateway
Article ID: 42870
Updated On: 12-12-2023
Products
Issue/Introduction
Background
This article will prescribe the processes for the following concepts. Please select a link from the following options. Some links may redirect the reader to a different article.
- Managing the Gateway appliance privileged (root) account (up to 9.x)
- Managing the Gateway appliance privileged (root) account (10)
- Managing the Gateway configuration menu (ssgconfig) account
- Managing the MySQL user accounts
- Managing the default Policy Manager administrator account
- Managing system user accounts
- Password rules for system user accounts
- Forcing user password changes
- Extending password expiry time
Environment
All supported versions of the API Gateway
Resolution
Managing system user accounts
All the changes noted in the sections below can be made at a privileged user shell on the API Gateway or via the Policy Manager in the Tasks > Manage Account Policies > Manage Password Policies dialogue box.
Password rules for system user accounts
By default, the API Gateway appliance requires that all credentials for user accounts contain the following:
- Two (2) lowercase alphabetic characters
- Two (2) uppercase alphabetic characters
- Two (2) numeric characters
- Two (2) special characters
This behaviour is prescribed using a particular configuration file: /etc/pam.d/system auth. Open this file for editing in order to change the configured password rules. One particular line dictates this behaviour:password requisite pam_cracklib.so retry=3 minlen=9 ucredit=-2 lcredit=-2 dcredit=-2 ocredit=-2
This line can be interpreted as follows:
| retry=3 | Allow three attempts to set credentials |
| minlen=9 | Minimum number of characters in a password |
| ucredit=-2 | Require at least two uppercase characters |
| lcredit=-2 | Require at least two lowercase characters |
| dcredit=-2 | Require at least two numeric characters |
| ocredit=-2 | Require at least two "other" characters |
The configuration of this line can be changed to meet your organizational requirements.
Forcing user password changes
It may be necessary to force certain user accounts to require the credentials to be changed upon the next successful login attempt. For example, the password rules may have changed per the above section but they will not be enforced until the user changes their password again. Should the password rules be changed, the user account should be required to change their credentials to meet the new requirements. To force a user to change their password when logging into the API Gateway appliance, do the following:
- Connect to the API Gateway via a serial cable or direct console access
- Log in with the username root at the login prompt
- Execute the following command: /usr/bin/chage –M <days> <username>
Substitute the value “<days>” for number of days from today’s date. You may also substitute the value of “<username>” with the desired user account (such as ssgconfig or root).
Extending password expiry time
It may be necessary to delay the expiration of a user account’s credentials. In order to adjust the number of days remaining for the validity period of a user’s credentials, do the following:
- Connect to the API Gateway via a serial cable or direct console access
- Log in with the username root at the login prompt
- Execute the following command: /usr/bin/chage –d 0 <username>
Substitute the value of “<username>” with the desired user account (such as ssgconfig or root).
Feedback
