selang Reference Guide › selang Commands › selang Commands Reference › setoptions Command—Set CA ControlMinder Options

setoptions Command—Set CA ControlMinder Options

Valid in the AC environment

The setoptions command sets system-wide CA ControlMinder options in the running system. For example, you can use setoptions to enable or disable security checking for each class, or for all classes, set the password policies, and list the current settings of the CA ControlMinder options.

Note: This command also exists in the Windows environment, but operates differently there.

You need ADMIN attribute to use the setoptions command, with the exception that you need only AUDITOR or OPERATOR attribute to use the command setoptions list.

This command has the following format:

{setoptions|so} \

[accgrr|accgrr‑] \
[accpacl|accpacl‑] \
[class+ (className)] \
[class‑ (className)] \
[class (className)] \
[flags{+|-} (I|W)] \
[cng_adminpwd|cng_adminpwd‑] \
[cng_ownpwd|cng_ownpwd‑] \
[cwarnlist] \
[dms{+|-}(dms@hostname)] \
[inactive(nDays)|inactive‑] \
[is_dms{+|-}] \
[list] \
[maxlogins(nLogins)|maxlogins‑] \
[password( \

[{history(nStoredPasswords) | history‑}] \
[(interval(nDays) | interval‑)] \
[(min_life(nDays) | min_life‑)] \
[{rules( \
	[alpha(nCharacters)] \
	[alphanum(nCharacters)] \
	[(bidirectional) | (bidirectional-)] \
	[grace(nLogins)] \
	[lowercase(nCharacters)] \
	[min_len(nCharacters)]
	[max_len(nCharacters)] \
	[max_rep(nCharacters)] \
	[{namechk|namechk‑}]
	[numeric(nCharacters)] \
	[{oldpwchk|oldpwchk‑}]
	[prohibited(prohibitedCharacters)] \
	[special(nCharacters)] \
	[sub_str_len(nCharacters)] \
	[uppercase(nCharacters)] \
	[use_dbdict|use_dbdict-] \
)|rules‑}] \

)] \

accgrr

Enables the accumulative group rights (ACCGRR) The accumulative group rights option (ACCGRR) affects how CA ControlMinder checks a resource's ACL. If ACCGRR is enabled, CA ControlMinder checks the ACL for the authorities granted from all the groups to which the user belongs. If ACCGRR is disabled, CA ControlMinder checks the ACL to see if any of the applicable entries contain the value none. If so, access is denied. Otherwise CA ControlMinder ignores all group entries except the first applicable one in the access control list. option.

The default value is enabled.

accgrr‑

Disables the accumulative group rights (ACCGRR) option.

accpacl

Enables the use of PACLs in all resources.

accpacl‑

Disables the use of PACLs.

class (className)

Sets or clears a setting for a CA ControlMinder class.

class+(className)

Enables one or more CA ControlMinder classes. A class must be enabled for CA ControlMinder to protect resources of that class. A class should be activated only after you have defined the necessary records to allow access to the resources that belong to the class. See the Endpoint Administration Guide for UNIX for more information about the resource classes supplied with CA ControlMinder.

Use one of the following values:

• The name of a CA ControlMinder class
• SECLEVEL. This enables security level checking.
• PASSWORD. This activates the password rules. On Windows, it also enables arbitrarily long passwords.

class‑(className)

Disables one or more CA ControlMinder classes. Resources that belong to a disabled class are not protected by CA ControlMinder. Use one of the following values:

• The name of a CA ControlMinder class
• SECLEVEL. This disables security level checking.
• PASSWORD. This disables the password rules. On Windows, this also disables the long passwords.

You cannot disable the classes GROUP, SECFILE, SEOS, UACC, and USER.

cng_adminpwd

Enables users with the PWMANAGER attribute to change the ADMIN user's password.

cng_adminpwd‑

Disables users with the PWMANAGER attribute from changing the ADMIN user's password. This is the default setting.

cng_ownpwd

Enables users to change their own passwords through selang.

cng_ownpwd‑

Disables users from changing their own passwords through selang. This is the default setting.

cwarnlist

Displays a table with data about which classes are in Warning mode.

dms{+|-}(dms@hostname)

Adds or removes DMS databases from the list of DMS databases for this database.

flags{+|-} (I|W)

Sets or clears functionality that is associated with a class. Valid values are:

I

Case-sensitivity for objects in the specified class.

Note: Verify that there is a resource with the same name before setting I flag. CA ControlMinder shows a database error on restarting, if there are multiple upper or lower case resources. Restart CA ControlMinder for the I flag change to take effect.

W

Warning mode for the specified class.

Note: Flags are case-sensitive; use uppercase letters.

history(NStoredPasswords)

Specifies the number of previous passwords that are stored in a history list. When a password is changed, the previous password is added to the list, and the oldest password is dropped from the list if necessary. CA ControlMinder prevents a user from changing their password to one that is in the list.

Enter an integer from 1 through 24. If you specify zero, no passwords are saved.

On Windows, the history option enables the use of passwords longer than eight characters. The form of encryption used when storing the password is determined by the setoptions bidirectional or bidirectional- option.

On UNIX, the history option does not affect whether long passwords are enabled. Use the passwd_local_encryption_method configuration setting to determine whether long passwords are enabled.

history‑

Disables password history checking.

On Windows, this option disables the use of long passwords.

inactive(nDays)

Specifies the number of inactive days after which a user's login is suspended. An inactive day is a day when the user does not log in. Enter a positive integer. If inactive is set to zero, the effect is the same as using the inactive‑ parameter.

inactive‑

Disables the inactive login check.

interval(nDays)

Sets the number of days that must pass after passwords are set or changed before the system prompts users for a new password. Enter a positive integer or zero. An interval of zero disables password interval checking for users. Set the interval to zero if you do not want passwords to expire.

If the utility segrace is part of the user's login script, CA ControlMinder informs the users that the current password has expired when the specified number of days is reached. The users can immediately renew the password or continue using the old password until the number of grace logins is reached. After the number of grace logins is reached, the users are denied access to the system and must contact the system administrator to select a new password.

interval‑

Cancels the password interval setting.

is_dms+

Designates the current database as a DMS.

is_dms-

Removes the designation of the current database as a DMS.

list

Displays the current CA ControlMinder settings on the screen.

maxlogins(nLogins)

Sets the maximum number of terminals the user can log in to at the same time. A value of 0 (zero) means that the user can log in from any number of terminals concurrently. This value can be overridden by assigning a value in the user's user record.

Note: If maxlogins is set to 1, you cannot run selang. You must shut down CA ControlMinder, change the maxlogins setting to greater than one, and restart CA ControlMinder.

Note: Valid only on Unix and Linux operating systems.

maxlogins‑

Disables the global maximum logins check. The number of terminals a user can log in is from unlimited, unless the user's login is restricted in the user record of the user.

min_life(NDays )

Sets the minimum number of days between password changes. Enter a positive integer.

password

Sets the password options.

rules

Sets one or more password rules that CA ControlMinder uses to check the quality of new passwords. The rules are:

alpha(nCharacters)

Sets the minimum number of alphabetic characters the new password must contain. Enter an integer.

alphanum(nCharacters)

Sets the minimum number of alphanumeric characters the new password must contain. Enter an integer.

bidirectional

Specifies that when passwords are sent to other systems as part of PMDB, they are distributed in clear text (within encrypted messages).

On UNIX, this option is equivalent to setting the following passwd section setting value:

Passwd_distribution_encryption_mode=bidirectional

Note: We recommend that you set the configuration setting rather than use the setoptions command.

On Windows, the passwords are stored in the history list with the encryption specified in the registry value:

HKEY_LOCAL_MACHINE\SOFTWARE\ComputerAssociates\AccessControl\Encryption Package

bidirectional-

Specifies that passwords are sent in their hash encrypted form.

On Windows the hash function used is SHA-1 SHA-1 is a FIPS approved, cryptographic hash function, which produces a 160-bit output. It is used by SSL/TLS, and by CA ControlMinder on Windows for password encryption..

On UNIX, this option is equivalent to setting the following passwd section setting value:

Passwd_distribution_encryption_mode=compatibility

Note: We recommend that you set the configuration setting rather than use the setoptions command.

If this option is specified, long passwords cannot be distributed between heterogeneous operating systems.

grace(nLogins)

Sets the maximum number of grace logins that are permitted before the user is suspended. The number of grace logins must be from 0 through 255 inclusive.

lowercase(nCharacters)

Sets the minimum number of lowercase characters the new password must contain. Enter an integer.

min_len(nCharacters)

Sets the minimum password length. Enter the minimum total number of characters that the new password must contain.

max_len(nCharacters)

Sets the maximum password length. Enter the maximum total number of characters that the new password must contain.

max_rep(nCharacters)

Sets the maximum number of repetitive characters the new password must contain. Enter an integer.

namechk

Checks whether the password contains or is contained by the user's name. By default, CA ControlMinder performs this check.

namechk‑

Turns off the namechk check.

numeric(nCharacters)

Sets the minimum number of numeric characters the new password must contain. Enter an integer.

oldpwchk

Checks whether the new password contains or is contained by the password being replaced. By default, CA ControlMinder performs this check.

Note: Valid only on Unix and Linux operating systems.

oldpwchk‑

Turns off the oldpwchk.

prohibited(prohibitedCharacters)

Specifies characters a user cannot use in a password. Enter the prohibited characters.

Note: We recommend you to verify that control characters '\' and 't' are both specified in the prohibitedCharacters list, to block the use of the tab key.

special(nCharacters)

Sets the minimum number of special characters the new password must contain. Enter an integer.

sub_str_len(nCharacters)

Sets the maximum number of characters the new password can share with the previous password. Enter an integer.

uppercase(nCharacters)

Sets the minimum number of uppercase characters the new password must contain. Enter an integer.

use_dbdict | use_dbdict-

Sets the password dictionary. use_dbdict sets the token to db and compares passwords against words in the CA ControlMinder database. use_dbdict- sets the token to file and checks passwords against a file specified in the seos.ini file for UNIX or Windows registry for Windows.

rules‑

Disables password quality checking. None of the rules specified by the rules argument are used for password quality checking.

Examples: Set CA ControlMinder Options

• The user John wants to activate the OpsAct class, an installation‑defined class used to protect operator actions.

  The user John has the ADMIN attribute.

  setoptions class+(OpsAct)
  

• The user Mike wants to set a password policy that forces users to supply passwords of length at least 6 characters. Mike also wants to activate password policy enforcement.

  The user Mike has the ADMIN attribute.

  setoptions class+(PASSWORD)
  setoptions password(rules(min_len(6)))
  

• The user SecAdmin wants to enable security level checking.

  The user SecAdmin has the ADMIN attribute.

  setoptions class+(SECLEVEL)
  

• The user Janani wants to set a DMS for this database to send notification to.

  The user Janani has the ADMIN attribute.

  setoptions dms+(apache@myHost)
  

Example: Put a Class into Warning Mode

Put a class into Warning mode by setting the Warning property on the class. You can use the setoptions selang command to do this, as follows:

setoptions class(classname) flags+ (W)

classname

Defines the name of the class you want to put into Warning mode.

Note: The W flag is case-sensitive and must be in uppercase.

To clear Warning mode for the class, you can also use the setoptions command, as follows:

setoptions class(classname) flags- (W)

More information:

Warning mode

setoptions Command—Set CA ControlMinder Windows Options