Product Documentation

Database Administrator's Guide

Previous Topic

Next Topic

Automatically Enforce Password Strength

FairCom Server supports setting the following requirements for user account passwords:

  • The minimum length of a password, which can be any value up to the maximum, 64.
  • The minimum number of required character classes in a password, where the recognized character classes are: lowercase characters, uppercase characters, numbers, and symbols.
  • The password expiration in days.

These options can be set server-wide by adding the following options to ctsrvr.cfg:

SUBSYSTEM SECURITY PASSWORD {

MINIMUM_LENGTH length

REQUIRED_CLASSES classes

EXPIRE_IN_DAYS days

}

For example, to require passwords to be at least 8 characters, to require having at least 3 of the 4 character classes, and to expire passwords after 180 days, add the following to ctsrvr.cfg:

SUBSYSTEM SECURITY PASSWORD {

MINIMUM_LENGTH 8

REQUIRED_CLASSES 3

EXPIRE_IN_DAYS 180

}

This subsystem can be specified in a server settings file to prevent these settings from being changed in the configuration file or at runtime.

If the minimum length and required classes settings are changed in the configuration file or at runtime, they do not affect existing passwords because only a hash of the password is stored. The time to expiration takes effect immediately even for existing user accounts.

When changing subsystem options at runtime (for example, using ctadmn), either the entire subsystem or particular subsystem options might be blocked by having been specified in a settings file. In both cases, the attempt to change the options fails with error SETO_ERR (804), even if some of the subsystem options are not blocked. If SETO_ERR occurs when specifying multiple options at runtime, check CTSTATUS.FCS for a message indicating which options are blocked and try again with just those options that are not blocked.

TOCIndex