Setting the password policy
Data One allows the definition of password policies that will be applied to Company and Actor users and that are stored in the internal product repository. The password policy is applied to all users defined in Data One.
The configuration of the password policy occurs clicking the User management settings button in the upper right-hand corner.
To define the password policy, follow these steps:
-
In Setup → Users and Groups, click the User management settings link.
-
The User management settings & preferences window will appear.
-
In this window, you can define:
- Re-use old password: specify the number of old passwords that must not match the new password. Possible values: from 1 to 10. The higher the number, the higher the security.
- Password expiration: enter the number of days, months or years the password will last.
Capt. Eddie to ground control:"SECURITY TIP! If you do not set a Password expiration value, users can change their password as many times in a row as necessary to reuse their original password. Moreover, specifying a low number for Re-use old password, users will be able to continually use the same small number of passwords."
- Character set: check this box to enable the LOWERCASE, UPPERCASE, NUMBERS and SPECIAL chips. Selecting a chip will define that at least one character compliant to the policy must be present. This is the list of all special characters that are supported in the password:
- _ - : % ' * ! £ $ @ . , \ \ / # ^ ? ( ) { } ] [ ~ |
- Length: check this box to set the minimum and maximum length of the password.
- Click Save when done.
The settings will be applied when a new User is created or when the password of an existing User is changed. This means that already existing Users will be affected only after their password expires.
In the example below, a new user is created. The system has verified that the password is not compliant to the settings and the relevant details are listed below the PASSWORD field of the Account Info section.
Details on correct and incorrect settings appear as soon as the cursor is moved to a different field.
In the PASSWORD field, click the icon to display the characters you are typing.
If you prefer generating a compliant password automatically, click the Generate button.
When editing a User and entering a new password, the policy will be applied. Of course, the previous password will be overwritten.
When the password expiration day is approaching, the user will receive a notification email with the link of the page where the new password can be set.
By default, the email is sent 15 days before the password expiration day but the number of days is configurable – see the pwdCheckJob_beforeExpiryDays parameter documented here below.
The user can access the portal and change the password without waiting for the email.
The Administrator can configure different options than those set by default. To do so, go to Setup → Advanced Settings and click the ADD PROPERTY button on the top-right corner. In the dialog window that appears, add the properties you want to configure, selecting:
- MODULE: ghibli-rest
- SECTION: a3-config
and entering the PROPERTY NAME and PROPERTY VALUE for the following parameters according to your needs: - pwdCheckJob_linkAddress: configure the address of the web page where the new password can be changed. The default address is:
http://localhost:9081
. If the application is exposed through a balancer, this address must be the balancer address. - pwdCheckJob_linkContext: configure the final part of the URL to access the change password service. The default is "/uportal/static/index.html". This parameter is useful if you need to hide the full path of the application for example using an external application proxy.
- pwdCheckJob_startDate: configure when the service must start checking passwords. The default is every day at 11:00:00 am. The date must be entered in UTC with this format: "yyyy-MM-dd'T'HH:mm:ss'Z'", for example: 2021-02-13T10:55:00Z. After changing this parameter, you must restart the CEMAN.
- pwdCheckJob_beforeExpiryDays: when the password expiration day is approaching, the user will receive a notification email with the link of the page where the new password can be set. You can set a different number of days before password expiration when the notification email must be sent. The default is 15 days.
- pwdCheckJob_intervalMinutes: follow-up notification emails are sent regularly until users change their passwords. By default, every 24 hours (1440 minutes), the system checks if the password has been updated and – if not – an email is sent to the user. Set a value different to the default 1440 minutes if you want to increase or decrease the check and the email frequency. Set this value to 0 if you do not want to send regurlar reminders to the users. Remember that the value must be set in minutes. After changing this parameter, you must restart the CEMAN.
The following properties must be added when the system is configured to have a Cluster with 2 STENGS and 2 DMZ Clusters associated to each STENG. If you change these parameters, the STENG must be restarted.
- uportal...steng.port: use this property to configure the port the STENG user portal application is running on. The default is 9080, see server.xml IBM Liberty configuration for details.
The default value is steng.http.port. If missing, the steng.https.port system properties value (listed in the bootstrap.properties file) will be used. Note that since STENG runs by default in http mode, uportal will be preferentially exposed through DMZ in http mode. If you need https, you must configure Liberty for https connector and set this parameter accordingly. - uportal...steng.address: use this property to configure the hostname the STENG user portal application is running on. The default value is the steng.host system property value (listed in the bootstrap.properties file) or localhost if steng.host=*. For the default localhost, see the server.xml IBM Liberty configuration.
- uportal...dmz.port: use this property to configure the port the user portal application is exposed by DMZ Gateway. The default is 9081.
If set to 0 or -1, uportal will NOT be exposed through DMZ by peer with and . If you have more than one STENG, make sure that steng.http.port and steng.https.port system properties are different or, at least, that a different value of uportal...dmz.port is defined for each STENG.
Details about the configuration of the SMTP channel that will send the emails to the users are available in the Setup → Notification Channels section.
Example: If you want the password change notification email to be sent 10 days before the expiration day instead of the default 15 days, go to Setup → Advanced Settings, click the ADD PROPERTY button and enter:
- MODULE: ghibli-rest
- SECTION: a3-config
- NAME: pwdCheckJob_beforeExpiryDays
- VALUE: 10.
Updated 4 months ago