Setting logon requirements

You can specify that users meet certain requirements when logging on to the system.

To disable accounts for inactivity

User accounts can be disabled if the user does not log on during a specified period of time.
Use this procedure to enable a task that runs every 24 hours and disables inactive users. Use RBAC Manager to specify which users are subject to disabling because of inactivity. If a user is subject to disabling because of inactivity, the task you enable with this procedure disables that user.
The automatic disabling task cannot disable the administrative users BLAdmin and RBACAdmin.

1. Start the Application Server Administration console (that is, the blasadmin utility), as described in Starting the Application Server Administration console.
2. Enable the task that disables accounts for inactivity by entering the following:
   set accountconfig UserAccountInactiveDisabling true
   By default this command is set to false.
3. To specify the number of days after which a user account is disabled, enter the following:
   set accountconfig UserAccountInactiveTime #
   In the command shown above, # specifies a period of time in days. By default, this value is set to 30. The value can be a minimum of 7 and a maximum of 365.
4. Restart the Application Server.

To set SRP logon requirements

Use this procedure to configure the Application Server so it forces users logging on using SRP to meet any of the following requirements:

• Minimum password length---By setting a minimum password length, you can require users specifying passwords to provide a password of minimum length. By default, there is no minimum length for passwords.
• Maximum password age---By setting a maximum password age, you can require users to change passwords at specified intervals.
• Account lockout---By setting a threshold and duration for account lockouts, you can specify how many failed log ons cause a user to be locked out and how long that lockout lasts.
• Password complexity---If you require password complexity, a password must meet the following requirements:
  • Passwords cannot contain a user's account name or part of the user's account name.
    The system applies the following rules when checking for user names:
    • Case sensitivity does not matter.
    • A domain name in the user's account name is not considered.
      For example, in the name user@domain, the word "domain" is not considered.
    • If a user name includes delimiters, substrings of the user name cannot be included in the passwords.
      To enforce this, the user account name is parsed for the following delimiters: commas, periods, dashes, hyphens, underscores, spaces, pound signs, and tabs. If any of these delimiters are found, the user account name is broken into tokens.
      Tokens of three characters or less are ignored. Tokens of more than three characters cannot be included in the password. For example, the name John B. Good is split into three tokens: John, B., and Good. The second token is less than three characters so it is ignored. In this example, the user's password cannot include "john" or "good."
  • Passwords must contain characters from three of the following categories
    • Uppercase letters
    • Lowercase letters
    • Digits 0 through 9
    • Non-alphanumeric characters: ~!@#$%^&*_--+=`|(){}[]:;"'<>,.?/
    • Any Unicode characters that are not characterized as upper or lowercase letters.

1. Start the Application Server Administration console (that is, the blasadmin utility), as described in Starting the Application Server Administration console.

2. Do any of the following:

   To specify	Enter
   Minimum password length	set accountconfig MinPasswordLength # In this command # is the minimum length for passwords. Entering a 0 indicates there is no minimum length for passwords.
   How long it takes for a password to expire	set accountconfig MaxPasswordAge # In this command, # is a period of time in days. Entering a 0 indicates passwords do not expire. In RBAC you can specify that passwords never expire no matter what expiration period you specify. For more information about RBAC, see Managing access.
   The number of times a user can fail to log on before being locked out	set accountconfig AccountLockoutThreshold # In this command, # is the number of failed log ons that trigger a lockout. Entering a 0 indicates that users cannot be locked out because of logon failures.
   How long a user is locked out when he or she has surpassed the lockout threshold	set accountconfig AccountLockoutDuration # In this command, # is the number of minutes the user is locked out. Entering a 0 indicates that users can only be unlocked by an administrator using RBAC.
   That user passwords meet complexity requirements	set accountconfig IsPasswordComplexityEnabled true By default, this value is set to false.
   That user passwords not match previous passwords	Enable checking of password history by entering the following command: set accountconfig IsPasswordHistoryEnabled true By default, this value is set to false. Specify how many passwords can be stored for comparison with the current password by entering the following command: set accountconfig MaxPasswordHistory # The maximum number of passwords that can be stored is 30. The minimum is 1. By default, this value is set to 5.

3. Restart the Application Server.