3.4.7 Setting a password policy
This subsection describes how to set a password policy. When an attempt is made to register a JP1 user or to change a JP1 user's password, this password policy is used to check the set password. For details on the password policy, see 2.1.1(3) Password policy-based management.
The procedure below describes how to set a password policy.
- Organization of this subsection
(1) Common definition information
Setting a password policy means making changes to the common definition information. You must therefore first back up the common definition information before proceeding to set a password policy.
To back up common definition information, execute the following command to acquire only the common definition information for JP1/Base:
jbsgetcnf -c JP1BASE > backup-file
When you run JP1/Base in a cluster system, execute the following command to acquire only the common definition information for JP1/Base:
jbsgetcnf -h logical-host-name -c JP1BASE > backup-file
(2) Password policy settings
You can set a password policy on the primary authentication server as follows:
-
Edit the password policy definition file.
The jp1bs_passwdpolc.conf file is copied from the jp1bs_passwdpolc.conf.model file upon installation.
- In Windows:
-
installation-folder\conf\passwdpolc\jp1bs_passwdpolc.conf
shared-folder\jp1base\conf\passwdpolc\jp1bs_passwdpolc.conf (applicable to cluster use)
- In UNIX:
-
/etc/opt/jp1base/conf/passwdpolc/jp1bs_passwdpolc.conf
shared-directory/jp1base/conf/passwdpolc/jp1bs_passwdpolc.conf (applicable to cluster use)
Set values for the parameters in the password policy definition file. For details on the password policy definition file, see Password policy definition file in 16. Definition Files.
Example of how to specify the jp1bs_passwdpolc.conf file
[JP1_DEFAULT\JP1BASE\PASSWDPOLC] "ENABLE"=dword:0000001 "PASSWD_LEN_MIN"=dword:00000010 "NUM_OF_CHAR_TYPE_MIN"=dword:00000003 "REQ_CHAR_TYPE"="NUM,UPPER,SYMBOL"
-
Execute the jbssetcnf command.
jbssetcnf Password-policy-definition-file
For details about the jbssetcnf command, see jbssetcnf in 15. Commands.
-
Start or restart JP1/Base.
The new settings are applied when JP1/Base starts. If JP1/Base is running, restart it.
Because the secondary authentication server must have the same password policy as the primary authentication server, copy the set password policy definitions to the secondary authentication server.
Notes
-
When a secondary authentication server is installed, it must have the same password policy definitions as the primary authentication server.
-
If you change the password policy settings, you have to modify the originally registered passwords to make them compliant with the new password policy, as follows:
-
Acquire a list of JP1 users (a list containing the date and time at which user data was last modified for each JP1 user (yyyy/mm/dd HH:MM:SS format)).
Confirm that the authentication server is up and running, and then execute the following command:
jbslistuser -ld
-
Change the passwords of all JP1 users whose data was last modified prior to the setting of the new password policy.
-