Configure password policies to provide an additional layer of security to protected resources.
To configure password policies, complete the following procedures:
If you plan to implement password policies in your enterprise, consider the following:
Otherwise the native password policy accepts or reject passwords without notifying CA SiteMinder®. Consequently, CA SiteMinder® cannot manage those passwords.
Note: For more information, see the CA SiteMinder® Policy Server Configuration Guide.
You can create a password policy to provide an extra layer of security to protected resources.
Follow these steps:
Password policy settings appear.
Note: Click Help for descriptions of settings and controls, including their respective requirements and limits.
/siteminderagent/forms/smpwservices.fcc
http://server_name:port/siteminderagent/forms/smpwservices.fcc
https://server_name:port/siteminderagent/forms/smpwservices.fcc
Note: For information about configuring agents to redirect to a specific server using a fully qualified domain name (FQDN) and customizing or localizing the redirection FCC, see the Web Agent Configuration Guide.
You configure password expiration settings to define events, that when triggered, the Policy Server disables the user account and optionally redirects the user to a new Web page. Examples of such events include multiple failed login attempts and account inactivity.
Note: Expiration settings are optional. If you do not want to enable an expiration setting, leave the respective fields blank.
To configure password expiration
Password expiration settings open.
Note: Click Help for descriptions of settings and controls, including their respective requirements and limits.
Note: You must select the Track successful logins check box if you want to disable accounts based on account inactivity. You must select the Track failed logins check box if you want to disable accounts based on failed login attempts.
Note: If you do not need to configure passwords to expire from inactivity, we recommended that you do not set this option for performance reasons.
You configure password composition rules to control the character composition of newly created passwords.
Note: Composition rules are optional. If you do not want to enable a composition rule, leave the respective fields blank.
To configure password composition restrictions
Password composition settings open.
Note: Click Help for descriptions of settings and controls, including their respective requirements and limits.
Regular expression matching for passwords allows you to specify text patterns used for string matching that each password must match or not match to be considered valid.
For example, if you require the first character in the password be a digit but not be the last character, you can configure a regular expression to enforce this requirement and all passwords will be checked against it.
The following table describes the characters you can use for constructing regular expressions for password matching. This syntax is consistent with the regular expression syntax supported for resource matching when specifying realms.
All closure operators (+, *, ?) are greedy by default, meaning that they match as many elements of the string as possible without causing the overall match to fail. If you want a closure to be reluctant (non-greedy), follow it with a ’?’. A reluctant closure matches as few elements of the string as possible when finding matches.
The regular expression syntax is a s follows:
Characters |
Results |
---|---|
\ |
Used to quote a meta-character (like ’*’) |
\\ |
Matches a single ’\’ character |
(A) |
Groups subexpressions (affects order of pattern evaluation) |
[abc] |
Simple character class (any character within brackets matches the target character) |
[a-zA-Z] |
Character class with ranges (any character range within the brackets matches the target character) |
[^abc] |
Negated character class |
. |
Matches any character other than newline |
^ |
Matches only at the beginning of a line |
$ |
Matches only at the end of a line |
A* |
Matches A 0 or more times (greedy) |
A+ |
Matches A 1 or more times (greedy) |
A? |
Matches A 1 or 0 times (greedy) |
A*? |
Matches A 0 or more times (reluctant) |
A+? |
Matches A 1 or more times (reluctant) |
A?? |
Matches A 0 or 1 times (reluctant) |
AB |
Matches A followed by B |
A|B |
Matches either A or B |
\1 |
Backreference to 1st parenthesized subexpression |
\n |
Backreference to nth parenthesized subexpression |
Limit: Each regular expression can contain no more than 10 subexpressions, including the expression itself. The number of subexpressions equals the number of left or opening parentheses in the regular expression plus one more left parenthesis for the expression itself.
You configure regular expressions to specify text patterns that are used for string matching. A password must match or not match the expression to be valid. Each regular expression entry is a name/value pair consisting of a descriptive tag and expression definition.
Regular expression matching for passwords is optional. If you decide to use regular expression, you only specify entries for expressions that passwords must match or must not match. If you have no expression matching requirements, do not create any regular expression entries.
To configure regular expressions for passwords
You will see an empty table in the Regular Expressions group box.
The Password Regular Expression dialog opens.
If you select this option, define a regular expression that passwords must match.
If you select this option, add an entry for each regular expression that passwords must not match.
Note: Click Help for descriptions of settings and controls, including their respective requirements and limits.
The regular expression is added to the table. If you selected MUST NOT match, you will see a checkbox in the NO Match column.
You configure password restrictions to place restrictions on password usage. Restrictions include:
You can also prevent users from specifying words that you determine are a security risk or contain users’ personal information.
Note: Restrictions are optional. If you do not want to enable a restriction, leave the respective fields blank.
To configure password restrictions
Password restriction settings open.
Note: Click Help for descriptions of settings and controls, including their respective requirements and limits.
Note: If you specify both criteria, each must be satisfied before a user can reuse a password.
Example: A password policy requires users to wait 365 days and specify 12 passwords before reusing a password. After a year, if a user only supplied six passwords, the user would have to supply another six passwords before reusing the first password.
You configure advanced password policy options to specify that submitted passwords be pre-processed before validation and storage. Advanced password policies let you assign a priority to a policy, which allows the predictable evaluation of multiple password policies that apply to the same user directory or namespace.
Note: Pre-processing options are optional. You should specify a unique password policy evaluation priority for each password policy that may be assigned to the user directory or namespace.
To configure advanced password options
Advanced password policy settings open.
Note: Click Help for descriptions of settings and controls, including their respective requirements and limits.
Note: You should specify identical pre-processing options for each password policy that is applied to the same user directory or namespace.
Note: Evaluation priorities range from 0-999, where 999 is the highest.
During password services processing, a user request is redirected multiple times. When the request is redirected, the login ID (typically the username) which was entered by the user is appended to the request URL by default. To modify the default behavior so that the login ID (username) is not appended to redirects, you can do one of the following procedures.
To remove the login ID when redirecting for password services in Windows
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Netegrity\SiteMinder\CurrentVersion\PolicyServer\DisallowUsernameInURL
To remove the login ID when redirecting for password services in UNIX
<policy-server-install-dir>/registry/
sm.registry
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Netegrity\SiteMinder\CurrentVersion\PolicyServer\DisallowUsernameInURL
You can configure the Policy Server to honor the CA Directory password policies. The Policy Server, together with a properly configured Web Agent, can send end-users configured warnings and notifications that are based on the directory password policies.
The following CA Directory password policies are supported:
If you use the CA Directory settings, disable the Policy Server account lock-out feature.
The Policy Server has no notion of grace logins remaining.
To allow the use of CA Directory password policies:
To use the tool, refer to the XPSConfig instructions.
Copyright © 2013 CA.
All rights reserved.
|
|