To change the server-level
policies, edit the
InternalAuthenticationPolicy
element in the metadata server's omaconfig.xml file, and then restart
that server.
Here is the syntax for
each policy option:
Note: The following option names
are case-sensitive.
Note: A value of
T
has aliases (
1
or
Y
). A value of
F
has
aliases (
0
or
N
).
ChangeDelayInMinutes=
"
number"
specifies the number
of minutes that must elapse between password changes. Applies only
when you are resetting your own password.
specifies whether passwords
must include at least one digit. To enforce this requirement, specify T
.
specifies the number
of days after password is set that the password expires. A value of
0 prevents passwords from expiring.
ExpirePasswordOnReset="T | F"
specifies whether a
forced password change occurs on first use and after an administrative
password reset. To disable this requirement, specify F
.
HashPasswords="SHA256 | MD5"
specifies how the internal
account password is stored in the metadata.
SHA256 |
the SHA-256 hash function is used. SHA (secure hash
algorithm) is FIPS (Federal Information Processing Standard) compliant.
If you have SAS/SECURE, this is the default.
|
MD5 |
MD5 hashing is used. MD5 (message digest algorithm
5) is appropriate for preventing accidental exposure of information.
If you don't have SAS/SECURE, this is the default.
|
CAUTION:
Passwords
that are stored in SHA-256 format become unusable and inaccessible
if SAS/SECURE is unavailable.
If you use
SAS/SECURE,
it is important to keep your
SAS/SECURE license current. If you choose
to discontinue use of
SAS/SECURE, you must revert all stored internal
account passwords to MD5 format before you uninstall the software.
To revert passwords, set
HashPasswords="MD5"
, restart the metadata server, and update the password in every internal
account.
MinLength=
"
number-of-characters"
specifies the minimum
length for passwords.
specifies whether passwords
must include at least one upper case letter and at least one lower
case letter. To enforce this requirement, specify T
.
NumPriorPasswords=
"
number"
specifies the number
of passwords that are maintained in each account's password history.
A user can't reuse a password that is in the user's account history.
InactiveDaysToSuspension=
"
number"
specifies the number
of days after which an unused account is suspended. A value of 0 prevents
suspensions due to inactivity.
LockoutDurationInMinutes=
"
number"
specifies the number
of minutes for which an account is locked following excessive login
failures.
NumFailuresForLockout=
"
number"
specifies the number
of consecutive unsuccessful logon attempts that cause an account to
be locked. We recommend that you do not specify 0, because doing so
can make your system vulnerable to password guessing attacks.