CREATE CONNECTION SECURITY (Define the connection security facility)

Function

CREATE CONNECTION SECURITY defines security items related to the connection security facility.

Privilege

Users who have DBA privilege
Users who have the DBA privilege can execute definition statements related to CREATE CONNECTION SECURITY.

Format

CREATE CONNECTION SECURITY FOR security-object[, security-object]

security-object::= {CONNECT [PERMISSION COUNT literal
  [LOCK {literal DAY[S]|literal HOUR[S]
  | literal MINUTE[S]|UNLIMITED}]]
 | PASSWORD [TEST] password-character-limit-definition}

password-character-limit-definition::= [MIN LENGTH literal]
  [USER IDENTIFIER {RESTRICT|UNRESTRICT}]
  [SIMILAR {RESTRICT|UNRESTRICT}]

Operands

CONNECT [PERMISSION COUNT literal
[LOCK {literal DAY [S] | literal HOUR [S] | literal MINUTE [S]
| UNLIMITED}]]
Specifies the default for a consecutive certification failure limit.
PERMISSION COUNT literal
Specifies a permission count for the permitted number of consecutive certification failures until a consecutive certification failure account lock state occurs. A consecutive certification failure account lock state occurs when the permitted number of consecutive certification failures exceeds a specified value.
The default for PERMISSION COUNT is 2. If a PERMISSION COUNT specification is omitted, the LOCK option cannot be specified.
literal
Specifies a permission count for the permitted number of consecutive certification failures until a consecutive certification failure account lock state occurs.
The minimum is 1 (time); the maximum is 10 (times).
In literal, specify an unsigned integer.
LOCK {literal DAY [S] | literal HOUR [S] | literal MINUTE [S] | UNLIMITED}
Specifies the duration over which the consecutive certification failure account lock state is to be continued.
The default for LOCK is LOCK 1440 MINUTE(LOCK 1 DAY,LOCK 24 HOUR).
In literal, specify an unsigned integer.
literal DAY[S]
Specifies the period over which the consecutive certification failure account lock state is to be continued by day.
The minimum is 1 (day); the maximum is 31 (days).
literal HOUR[S]
Specifies the period over which the consecutive certification failure account lock state is to be continued by the hour.
The minimum is 1 (hour); the maximum is 744 (hours).
literal MINUTE[S]
Specifies the period over which the consecutive certification failure account lock state is to be continued by the minute.
The minimum is 10 (minutes); the maximum is 44640 (minutes).
UNLIMITED
Specifies that the consecutive certification failure account lock state is to be continued indefinitely.
TEST
Before defining a password character limit, specify this operand to check in advance an authorization identifier that has a password unsuitable for the limit to be changed.
The TEST option determines whether the current password is compatible with the character limit specified in password-character-limit-definition.
If TEST is specified, the settings in password-character-limit-definition are not defined.
MIN LENGTH literal
Specifies the minimum required length for passwords in bytes.
Passwords less than a specified literal in bytes are prohibited.
The default for MIN LENGTH is 8.
The minimum is 6; the maximum is 15.
In literal, specify an unsigned integer.
USER IDENTIFIER {RESTRICT | UNRESTRICT}
Specifies whether passwords containing an authorization identifier are to be prohibited. The default for USER IDENTIFIER is RESTRICT.
RESTRICT
Specify this operand if passwords containing an authorization identifier are to be prohibited.
UNRESTRICT
Specify this operand if passwords containing an authorization identifier are to be allowed.
SIMILAR {RESTRICT | UNRESTRICT}
Specifies whether all characters composing a password must be restricted to a single character type.
The default for SIMILAR is RESTRICT.
Specifies whether the type of password given in the following example is to be prohibited:
Examples:
FDBGLAOT (uppercase alphabetic characters only)
24681357 (numerics only)
RESTRICT
Specify this operand when prohibiting the restriction of all characters composing a password to a single character type.
UNRESTRICT
Specify this operand when not prohibiting the restriction of all characters composing a password to a single character type.

Common rules

  1. If a specified security object is already defined, the same security object cannot be defined in duplicate.
  2. When modifying the definition of an item related to the connection security facility, delete the definition of the item related to the connection security facility, and then redefine the item related to the connection security facility.
  3. If any DBA privilege holder or auditor is in violation of a specified password character limit definition, the CREATE CONNECTION SECURITY FOR PASSWORD flags an error. The TEST option does not generate an error.

Notes

  1. The default for the single-character type limit is RESTRICT, which puts the limit in effect. If no restriction is intended, the UNRESTRICT option should be specified.
  2. Even when a password character limit is defined, you can check passwords in advance by specifying the TEST operand.

Examples

  1. Define security parameters for the connection security facility by specifying the following settings:
    Definition for consecutive certification failure limit
    [Figure]Permitted number of consecutive certification failures: 5
    [Figure]Lock duration: 7 days
    Password character limit definition
    [Figure]Minimum password length in bytes: 10 characters
    [Figure]Prohibit passwords containing an authorization identifier
    [Figure]Prohibit single-character type passwords

    CREATE CONNECTION SECURITY FOR
     CONNECT PERMISSION COUNT 5
             LOCK 7 DAY,
     PASSWORD MIN LENGTH 10
              USER IDENTIFIER RESTRICT
              SIMILAR RESTRICT

  2. Define security parameters for the connection security facility by specifying the following settings:
    Definition for consecutive certification failure limit
    [Figure]Permitted number of consecutive certification failures: 5
    [Figure]Lock duration: 15 hours
    Password character limit definition
    [Figure]Assign a default value

    CREATE CONNECTION SECURITY FOR
     CONNECT PERMISSION COUNT 5
             LOCK 15 HOUR,
     PASSWORD

  3. Define security parameters for the connection security facility by specifying the following settings:
    Definition for consecutive certification failure limit
    [Figure]Not defined
    Password character limit definition
    [Figure]Assign a default value

    CREATE CONNECTION SECURITY FOR PASSWORD