Managing user accounts on the CA API Gateway
search cancel

Managing user accounts on the CA API Gateway

book

Article ID: 42870

calendar_today

Updated On:

Products

STARTER PACK-7 CA Rapid App Security CA API Gateway

Issue/Introduction

Background

This article will prescribe the processes for the following concepts. Please select a link from the following options. Some links may redirect the reader to a different article.

  1. Managing the Gateway appliance privileged (root) account   (up to 9.x)
  2. Managing the Gateway appliance privileged (root) account   (10)
  3. Managing the Gateway configuration menu (ssgconfig) account
  4. Managing the MySQL user accounts
  5. Managing the default Policy Manager administrator account
  6. Managing system user accounts
  7. Password rules for system user accounts
  8. Forcing user password changes
  9. Extending password expiry time

Environment

Release:
Component: APIGTW

Resolution

Managing system user accounts

All the changes noted in the sections below can be made at a privileged user shell on the API Gateway or via the Policy Manager in the Tasks > Manage Account Policies > Manage Password Policies dialogue box.

Password rules for system user accounts

By default, the API Gateway appliance requires that all credentials for user accounts contain the following:

  • Two (2) lowercase alphabetic characters
  • Two (2) uppercase alphabetic characters
  • Two (2) numeric characters
  • Two (2) special characters

This behaviour is prescribed using a particular configuration file: /etc/pam.d/system auth. Open this file for editing in order to change the configured password rules. One particular line dictates this behaviour:
password requisite pam_cracklib.so retry=3 minlen=9 ucredit=-2 lcredit=-2 dcredit=-2 ocredit=-2
This line can be interpreted as follows:

retry=3 Allow three attempts to set credentials
minlen=9 Minimum number of characters in a password
ucredit=-2 Require at least two uppercase characters
lcredit=-2 Require at least two lowercase characters
dcredit=-2 Require at least two numeric characters
ocredit=-2 Require at least two "other" characters

The configuration of this line can be changed to meet your organizational requirements.

Forcing user password changes

It may be necessary to force certain user accounts to require the credentials to be changed upon the next successful login attempt. For example, the password rules may have changed per the above section but they will not be enforced until the user changes their password again. Should the password rules be changed, the user account should be required to change their credentials to meet the new requirements. To force a user to change their password when logging into the API Gateway appliance, do the following:

  1. Connect to the API Gateway via a serial cable or direct console access
  2. Log in with the username root at the login prompt
  3. Execute the following command: /usr/bin/chage –M <days> <username>

Substitute the value “<days>” for number of days from today’s date. You may also substitute the value of “<username>” with the desired user account (such as ssgconfig or root).

Extending password expiry time

It may be necessary to delay the expiration of a user account’s credentials. In order to adjust the number of days remaining for the validity period of a user’s credentials, do the following:

  1. Connect to the API Gateway via a serial cable or direct console access
  2. Log in with the username root at the login prompt
  3. Execute the following command: /usr/bin/chage –d 0 <username>

Substitute the value of “<username>” with the desired user account (such as ssgconfig or root).

Powered by Wolken Software