# Set the password policy In Data Mover, password policies that will be applied to Company and Actor users and stored in the internal product repository can be defined. The password policy is applied to all users defined in the Data Mover internal product repository. The configuration of the password policy occurs clicking the **User management settings** button in the upper right-hand corner.
To define the password policy, follow these steps: 1. In **Setup** → **Users and Groups**, click the **User management settings** link. 2. The **User management settings & preferences** window will appear. 3. In this window, you can define: * **Re-use old password**: specify the number of old passwords that must not match the new password. Possible values: from 1 to 10. The higher the number, the higher the security. * **Password expiration**: enter the number of days, months or years the password will last. {% hint style="warning" %} **SECURITY TIP!** If you do not set a Password expiration value, users can change their password as many times in a row as necessary to reuse their original password. Moreover, by specifying a low number for Re-use old password, users will be able to continually use the same small number of passwords. {% endhint %} * **Character set**: check this box to enable the LOWERCASE, UPPERCASE, NUMBERS, and SPECIAL chips. Selecting a chip will define that at least one character compliant with the policy must be present. This is the list of all special characters that are supported in the password:\ \- \_ - : % ' \* ! £ $ @ . , \ \ / # ^ ? ( ) { } ] \[ \~ * **Length**: check this box to set the minimum and maximum length of the password. 4. Click **Save** when done. The settings will be applied when a new User is created or when the password of an existing User is changed. This means that already existing Users will be affected only after their password expires. In the example below, a new user is created. The system has verified that the password is not compliant with the settings and the relevant details are listed below the **PASSWORD** field of the **Account Info** section.
Details on correct and incorrect settings appear as soon as the cursor is moved to a different field. In the PASSWORD field, click the ![](/files/5imahq2YPmMGXC1ZYUfR) icon to display the characters you are typing. A **Generate** button is available to generate the password automatically. Note that if the **Re-use old password**, **Character** **set** and/or **Length** boxes are checked in the **User management settings & preferences** window, the **Generate** button will not appear. You can copy the password in the password field by using the icon. When editing a User and entering a new password, the policy will be applied. Of course, the previous password will be overwritten. When the password expiration day is approaching, the user will receive a notification email with the link to the page where the new password can be set.\ By default, the email is sent 15 days before the password expiration day but the number of days is configurable – see the **pwdCheckJob\_beforeExpiryDays** parameter documented here below. The user can access the portal and change the password **without waiting for the email**. The Administrator can configure different options than those set by default. To do so, go to **Setup** → **Advanced Settings** and click the **ADD PROPERTY** button on the top-right corner. In the dialog window that appears, add the properties you want to configure, selecting: * **MODULE**: ghibli-rest * **SECTION**: a3-config\ and entering the **PROPERTY NAME** and **PROPERTY VALUE** for the following parameters according to your needs: * **pwdCheckJob\_linkAddress**: configure the address of the web page where the new password can be changed. The default address is: `http://localhost:9081`. If the application is exposed through a balancer, this address must be the balancer address. * **pwdCheckJob\_linkContext**: configure the final part of the URL to access the change password service. The default is "/uportal/static/index.html". This parameter is useful if you need to hide the full path of the application for example using an external application proxy. * **pwdCheckJob\_startDate**: configure when the service must start checking passwords. The default is every day at 11:00:00 am. The date must be entered in UTC with this format: "yyyy-MM-dd'T'HH:mm:ss'Z'", for example, 2021-02-13T10:55:00Z. After changing this parameter, you must restart the CEMAN. * **pwdCheckJob\_beforeExpiryDays**: when the password expiration day is approaching, the user will receive a notification email with the link of the page where the new password can be set. You can set a different number of days before password expiration when the notification email must be sent. The default is 15 days. * **pwdCheckJob\_intervalMinutes**: follow-up notification emails are sent regularly until users change their passwords. By default, every 24 hours (1440 minutes), the system checks if the password has been updated and – if not – an email is sent to the user. Set a value different to the default 1440 minutes if you want to increase or decrease the check and the email frequency. Set this value to 0 if you do not want to send regular reminders to the users. Remember that the value must be set in minutes. After changing this parameter, you must restart the CEMAN. The following properties must be added when the system is configured to have a Cluster with 2 STENGS and 2 DMZ Clusters associated with each STENG. If you change these parameters, the STENG must be restarted. * **uportal...steng.port**: use this property to configure the port the STENG user portal application is running on. The default is 9080, see server.xml IBM Liberty configuration for details.\ The default value is *steng.http.port*. If missing, the steng.https.port system properties value (listed in the *bootstrap.properties* file) will be used. Note that since STENG runs by default in http mode, uportal will be preferentially exposed through DMZ in HTTP mode. If you need https, you must configure Liberty for https connector and set this parameter accordingly. * **uportal...steng.address**: use this property to configure the hostname the STENG user portal application is running on. The default value is the *steng.host* system property value (listed in the *bootstrap.properties* file) or localhost if steng.host=\*. For the default localhost, see the server.xml IBM Liberty configuration. * **uportal...dmz.port**: use this property to configure the port the user portal application is exposed by DMZ Gateway. The default is 9081.\ If set to 0 or -1, uportal will NOT be exposed through DMZ by peer with and . If you have more than one STENG, make sure that *steng.http.port* and *steng.https.port* system properties are different or, at least, that a different value of *uportal...dmz.port* is defined for each STENG. Details about the configuration of the SMTP channel that will send the emails to the users are available in the **Setup** → [**Notification Channels**](/data-mover-1.21/notification-channels/what-are-notification-channels.md) section. {% hint style="danger" %} Remember that parameters must be edited only if you need to change default values. If default values suit your needs, no additional configuration is required. {% endhint %} *Example*: If you want the password change notification email to be sent 10 days before the expiration day instead of the default 15 days, go to **Setup** → **Advanced Settings**, click the **ADD PROPERTY** button, and enter: * **MODULE**: ghibli-rest * **SECTION**: a3-config * **NAME**: pwdCheckJob\_beforeExpiryDays * **VALUE**: 10. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.primeur.com/data-mover-1.21/security/users-and-groups/set-the-password-policy.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.