Valid in the AC environment
The setoptions command sets system-wide CA ControlMinder options in the running system. For example, you can use setoptions to enable or disable security checking for each class, or for all classes, set the password policies, and list the current settings of the CA ControlMinder options.
Note: This command also exists in the Windows environment, but operates differently there.
You need ADMIN attribute to use the setoptions command, with the exception that you need only AUDITOR or OPERATOR attribute to use the command setoptions list.
This command has the following format:
{setoptions|so} \
[accgrr|accgrr‑] \ [accpacl|accpacl‑] \ [class+ (className)] \ [class‑ (className)] \ [class (className)] \ [flags{+|-} (I|W)] \ [cng_adminpwd|cng_adminpwd‑] \ [cng_ownpwd|cng_ownpwd‑] \ [cwarnlist] \ [dms{+|-}(dms@hostname)] \ [inactive(nDays)|inactive‑] \ [is_dms{+|-}] \ [list] \ [maxlogins(nLogins)|maxlogins‑] \ [password( \
[{history(nStoredPasswords) | history‑}] \ [(interval(nDays) | interval‑)] \ [(min_life(nDays) | min_life‑)] \ [{rules( \ [alpha(nCharacters)] \ [alphanum(nCharacters)] \ [(bidirectional) | (bidirectional-)] \ [grace(nLogins)] \ [lowercase(nCharacters)] \ [min_len(nCharacters)] [max_len(nCharacters)] \ [max_rep(nCharacters)] \ [{namechk|namechk‑}] [numeric(nCharacters)] \ [{oldpwchk|oldpwchk‑}] [prohibited(prohibitedCharacters)] \ [special(nCharacters)] \ [sub_str_len(nCharacters)] \ [uppercase(nCharacters)] \ [use_dbdict|use_dbdict-] \ )|rules‑}] \
)] \
Enables the accumulative group rights (ACCGRR) option.
The default value is enabled.
Disables the accumulative group rights (ACCGRR) option.
Enables the use of PACLs in all resources.
Disables the use of PACLs.
Sets or clears a setting for a CA ControlMinder class.
Enables one or more CA ControlMinder classes. A class must be enabled for CA ControlMinder to protect resources of that class. A class should be activated only after you have defined the necessary records to allow access to the resources that belong to the class. See the Endpoint Administration Guide for UNIX for more information about the resource classes supplied with CA ControlMinder.
Use one of the following values:
Disables one or more CA ControlMinder classes. Resources that belong to a disabled class are not protected by CA ControlMinder. Use one of the following values:
You cannot disable the classes GROUP, SECFILE, SEOS, UACC, and USER.
Enables users with the PWMANAGER attribute to change the ADMIN user's password.
Disables users with the PWMANAGER attribute from changing the ADMIN user's password. This is the default setting.
Enables users to change their own passwords through selang.
Disables users from changing their own passwords through selang. This is the default setting.
Displays a table with data about which classes are in Warning mode.
Adds or removes DMS databases from the list of DMS databases for this database.
Sets or clears functionality that is associated with a class. Valid values are:
Case-sensitivity for objects in the specified class.
Note: Verify that there is a resource with the same name before setting I flag. CA ControlMinder shows a database error on restarting, if there are multiple upper or lower case resources. Restart CA ControlMinder for the I flag change to take effect.
Warning mode for the specified class.
Note: Flags are case-sensitive; use uppercase letters.
Specifies the number of previous passwords that are stored in a history list. When a password is changed, the previous password is added to the list, and the oldest password is dropped from the list if necessary. CA ControlMinder prevents a user from changing their password to one that is in the list.
Enter an integer from 1 through 24. If you specify zero, no passwords are saved.
On Windows, the history option enables the use of passwords longer than eight characters. The form of encryption used when storing the password is determined by the setoptions bidirectional or bidirectional- option.
On UNIX, the history option does not affect whether long passwords are enabled. Use the passwd_local_encryption_method configuration setting to determine whether long passwords are enabled.
Disables password history checking.
On Windows, this option disables the use of long passwords.
Specifies the number of inactive days after which a user's login is suspended. An inactive day is a day when the user does not log in. Enter a positive integer. If inactive is set to zero, the effect is the same as using the inactive‑ parameter.
Disables the inactive login check.
Sets the number of days that must pass after passwords are set or changed before the system prompts users for a new password. Enter a positive integer or zero. An interval of zero disables password interval checking for users. Set the interval to zero if you do not want passwords to expire.
If the utility segrace is part of the user's login script, CA ControlMinder informs the users that the current password has expired when the specified number of days is reached. The users can immediately renew the password or continue using the old password until the number of grace logins is reached. After the number of grace logins is reached, the users are denied access to the system and must contact the system administrator to select a new password.
Cancels the password interval setting.
Designates the current database as a DMS.
Removes the designation of the current database as a DMS.
Displays the current CA ControlMinder settings on the screen.
Sets the maximum number of terminals the user can log in to at the same time. A value of 0 (zero) means that the user can log in from any number of terminals concurrently. This value can be overridden by assigning a value in the user's user record.
Note: If maxlogins is set to 1, you cannot run selang. You must shut down CA ControlMinder, change the maxlogins setting to greater than one, and restart CA ControlMinder.
Note: Valid only on Unix and Linux operating systems.
Disables the global maximum logins check. The number of terminals a user can log in is from unlimited, unless the user's login is restricted in the user record of the user.
Sets the minimum number of days between password changes. Enter a positive integer.
Sets the password options.
Sets one or more password rules that CA ControlMinder uses to check the quality of new passwords. The rules are:
Sets the minimum number of alphabetic characters the new password must contain. Enter an integer.
Sets the minimum number of alphanumeric characters the new password must contain. Enter an integer.
Specifies that when passwords are sent to other systems as part of PMDB, they are distributed in clear text (within encrypted messages).
On UNIX, this option is equivalent to setting the following passwd section setting value:
Passwd_distribution_encryption_mode=bidirectional
Note: We recommend that you set the configuration setting rather than use the setoptions command.
On Windows, the passwords are stored in the history list with the encryption specified in the registry value:
HKEY_LOCAL_MACHINE\SOFTWARE\ComputerAssociates\AccessControl\Encryption Package
Specifies that passwords are sent in their hash encrypted form.
On Windows the hash function used is SHA-1 .
On UNIX, this option is equivalent to setting the following passwd section setting value:
Passwd_distribution_encryption_mode=compatibility
Note: We recommend that you set the configuration setting rather than use the setoptions command.
If this option is specified, long passwords cannot be distributed between heterogeneous operating systems.
Sets the maximum number of grace logins that are permitted before the user is suspended. The number of grace logins must be from 0 through 255 inclusive.
Sets the minimum number of lowercase characters the new password must contain. Enter an integer.
Sets the minimum password length. Enter the minimum total number of characters that the new password must contain.
Sets the maximum password length. Enter the maximum total number of characters that the new password must contain.
Sets the maximum number of repetitive characters the new password must contain. Enter an integer.
Checks whether the password contains or is contained by the user's name. By default, CA ControlMinder performs this check.
Turns off the namechk check.
Sets the minimum number of numeric characters the new password must contain. Enter an integer.
Checks whether the new password contains or is contained by the password being replaced. By default, CA ControlMinder performs this check.
Note: Valid only on Unix and Linux operating systems.
Turns off the oldpwchk.
Specifies characters a user cannot use in a password. Enter the prohibited characters.
Note: We recommend you to verify that control characters '\' and 't' are both specified in the prohibitedCharacters list, to block the use of the tab key.
Sets the minimum number of special characters the new password must contain. Enter an integer.
Sets the maximum number of characters the new password can share with the previous password. Enter an integer.
Sets the minimum number of uppercase characters the new password must contain. Enter an integer.
Sets the password dictionary. use_dbdict sets the token to db and compares passwords against words in the CA ControlMinder database. use_dbdict- sets the token to file and checks passwords against a file specified in the seos.ini file for UNIX or Windows registry for Windows.
Disables password quality checking. None of the rules specified by the rules argument are used for password quality checking.
Examples: Set CA ControlMinder Options
The user John has the ADMIN attribute.
setoptions class+(OpsAct)
The user Mike has the ADMIN attribute.
setoptions class+(PASSWORD) setoptions password(rules(min_len(6)))
The user SecAdmin has the ADMIN attribute.
setoptions class+(SECLEVEL)
The user Janani has the ADMIN attribute.
setoptions dms+(apache@myHost)
Example: Put a Class into Warning Mode
Put a class into Warning mode by setting the Warning property on the class. You can use the setoptions selang command to do this, as follows:
setoptions class(classname) flags+ (W)
Defines the name of the class you want to put into Warning mode.
Note: The W flag is case-sensitive and must be in uppercase.
To clear Warning mode for the class, you can also use the setoptions command, as follows:
setoptions class(classname) flags- (W)
Copyright © 2013 CA Technologies.
All rights reserved.
|
|