CREATE CONNECTION SECURITY (Define the connection security facility)
Function
Defines security items related to the connection security facility.
Privilege
- Users who have DBA privilege
- Users who have the DBA privilege can execute definition statements related to CREATE CONNECTION SECURITY.
Format
CREATE CONNECTION SECURITY FOR security-object [, security-object]
security-object::= {CONNECT [PERMISSION COUNT literal
[LOCK {literal DAY[S]|literal HOUR[S]
| literal MINUTE[S]|UNLIMITED}]]
| PASSWORD [TEST] password-character-limit-definition}
password-character-limit-definition::= [MIN LENGTH literal]
[USER IDENTIFIER {RESTRICT|UNRESTRICT}]
[SIMILAR {RESTRICT|UNRESTRICT}] |
Operands
- security-object::=
{CONNECT [PERMISSION COUNT literal
[LOCK {literal DAY [S] | literal HOUR [S]
| literal MINUTE [S] | UNLIMITED}]]
| PASSWORD [TEST] password-character-limit-definition}
In security-object, CONNECT and PASSWORD can each be specified only once.
If security-object is omitted, the omitted security object is not defined. For each security-object specification, you can omit either CONNECT or PASSWORD, but not both.
If only CONNECT or PASSWORD is specified in security-object and all operands after CONNECT or PASSWORD are omitted, the default values for the omitted operands are assigned.
- CONNECT [PERMISSION COUNT literal
- [LOCK {literal DAY [S] | literal HOUR [S] | literal MINUTE [S]
- | UNLIMITED}]]
- Specifies the default for a consecutive certification failure limit.
- PERMISSION COUNT literal
- Specifies a permission count for the permitted number of consecutive certification failures until a consecutive certification failure account lock state occurs. A consecutive certification failure account lock state occurs when the permitted number of consecutive certification failures exceeds a specified value.
- The default for PERMISSION COUNT is 2. If a PERMISSION COUNT specification is omitted, the LOCK option cannot be specified.
- literal
- Specifies a permission count for the permitted number of consecutive certification failures until a consecutive certification failure account lock state occurs.
- The minimum is 1 (time); the maximum is 10 (times).
- In literal, specify an unsigned integer.
- LOCK {literal DAY [S] | literal HOUR [S] | literal MINUTE [S] | UNLIMITED}
- Specifies the duration over which the consecutive certification failure account lock state is to be continued.
- The default for LOCK is LOCK 1440 MINUTE(LOCK 1 DAY,LOCK 24 HOUR).
- In literal, specify an unsigned integer.
- literal DAY[S]
- Specifies the period over which the consecutive certification failure account lock state is to be continued by day.
- The minimum is 1 (day); the maximum is 31 (days).
- literal HOUR[S]
- Specifies the period over which the consecutive certification failure account lock state is to be continued by the hour.
- The minimum is 1 (hour); the maximum is 744 (hours).
- literal MINUTE[S]
- Specifies the period over which the consecutive certification failure account lock state is to be continued by the minute.
- The minimum is 10 (minutes); the maximum is 44640 (minutes).
- UNLIMITED
- Specifies that the consecutive certification failure account lock state is to be continued indefinitely.
- PASSWORD [TEST] password-character-limit-definition
Specifies the default for strengthening the password character limit.
- TEST
- Before defining a password character limit, specify this operand to check in advance an authorization identifier that has a password unsuitable for the limit to be changed.
- The TEST option determines whether the current password is compatible with the character limit specified in password-character-limit-definition.
- If TEST is specified, the settings in password-character-limit-definition are not defined.
- password-character-limit-definition::=
[MIN LENGTH literal]
[USER IDENTIFIER {RESTRICT | UNRESTRICT}]
[SIMILAR {RESTRICT | UNRESTRICT}]
- MIN LENGTH literal
- Specifies the minimum required length for passwords in bytes.
- Passwords less than a specified literal in bytes are prohibited.
- The default for MIN LENGTH is 8.
- The minimum is 6; the maximum is 15.
- In literal, specify an unsigned integer.
- USER IDENTIFIER {RESTRICT | UNRESTRICT}
- Specifies whether passwords containing an authorization identifier are to be prohibited. The default for USER IDENTIFIER is RESTRICT.
- RESTRICT
- Specify this operand if passwords containing an authorization identifier are to be prohibited.
- UNRESTRICT
- Specify this operand if passwords containing an authorization identifier are to be allowed.
- SIMILAR {RESTRICT | UNRESTRICT}
- Specifies whether all characters composing a password must be restricted to a single character type.
- The default for SIMILAR is RESTRICT.
- Specifies whether the type of password given in the following example is to be prohibited:
- Examples:
- FDBGLAOT (uppercase alphabetic characters only)
- 24681357 (numerics only)
- RESTRICT
- Specify this operand when prohibiting the restriction of all characters composing a password to a single character type.
- UNRESTRICT
- Specify this operand when not prohibiting the restriction of all characters composing a password to a single character type.
Common rules
- If a specified security object is already defined, the same security object cannot be defined in duplicate.
- When modifying the definition of an item related to the connection security facility, delete the definition of the item related to the connection security facility, and then redefine the item related to the connection security facility.
- If any DBA privilege holder or auditor is in violation of a specified password character limit definition, the CREATE CONNECTION SECURITY FOR PASSWORD flags an error. The TEST option does not generate an error.
Notes
- The default for the single-character type limit is RESTRICT, which puts the limit in effect. If no restriction is intended, the UNRESTRICT option should be specified.
- Even when a password character limit is defined, you can check passwords in advance by specifying the TEST operand.
- An attempt to define the connection security facility when the directory server linkage facility is in use can cause an error.
Examples