How to Configure Password Policies

Policy Server Guides › Policy Server Configuration Guide › Password Policies › How to Configure Password Policies

How to Configure Password Policies

Configure password policies to provide an additional layer of security to protected resources.

To configure password policies, complete the following procedures:

Password Policy Considerations

If you plan to implement password policies in your enterprise, consider the following:

CA SiteMinder® requires read/write access to the user directory, including exclusive use of several attributes within that directory to store passwords and password–related information.
Password policies can affect CA SiteMinder® performance because of the additional user directory searches required to validate passwords. Password policies that are configured to search only part of a user directory, instead of the entire directory, can also affect performance.
If your user directory has a native password policy, this policy must be:
- Less–restrictive then the CA SiteMinder® password policy or
- Disabled
Otherwise the native password policy accepts or reject passwords without notifying CA SiteMinder®. Consequently, CA SiteMinder® cannot manage those passwords.
By default, if a user enters incorrect information when changing a password, CA SiteMinder® returns a generic failure message. This message does not specify the failure reason. Create and enable the DisallowForceLogin registry key to change the default behavior and explicitly tell users why the change failed.
If you use password policies on multiple Policy Servers, synchronize the system times of all servers. Synchronizing times helps to avoid the disabling of accounts or forcing password changes prematurely.
Note: For more information, see the CA SiteMinder® Policy Server Configuration Guide.

Create Password Policies

You can create a password policy to provide an extra layer of security to protected resources.

Follow these steps:

Click Policies, Password.
Click Password Policies.
Click Create Password Policy.
Password policy settings appear.

Note: Click Help for descriptions of settings and controls, including their respective requirements and limits.
Enter a policy name.
Select the user directory to which the policy applies from the Directory list.
Specify if the policy applies to the entire directory or part of the directory.
(Optional) If the policy only applies to part of the directory, click Lookup to specify which part.
(Optional) Specify the location of the FCC to which users are redirected if they enter a password that is deemed invalid by the password policy in the Redirection URL field.
To host the redirection FCC on the same server as the agent, accept the default:
```
/siteminderagent/forms/smpwservices.fcc
```
To host the redirection FCC for all hosts on a specific server:
```
http://server_name:port/siteminderagent/forms/smpwservices.fcc
```
To host the redirection FCC for all hosts on a specific server over SSL:
```
https://server_name:port/siteminderagent/forms/smpwservices.fcc
```
Configure the policy to reflect the password logic you want by configuring expiration, composition, expression, restriction, or advanced settings.

Note: For information about configuring agents to redirect to a specific server using a fully qualified domain name (FQDN) and customizing or localizing the redirection FCC, see the Web Agent Configuration Guide.

More information:

Agents and Password Services

Configure Password Expiration

You configure password expiration settings to define events, that when triggered, the Policy Server disables the user account and optionally redirects the user to a new Web page. Examples of such events include multiple failed login attempts and account inactivity.

Note: Expiration settings are optional. If you do not want to enable an expiration setting, leave the respective fields blank.

To configure password expiration

Click the Expiration tab.
Password expiration settings open.

Note: Click Help for descriptions of settings and controls, including their respective requirements and limits.
Specify user login tracking settings by selecting the Track successful logins, Track failed logins, and Authenticate on Login Tracking Failure check boxes in the Expiration group box.
Note: You must select the Track successful logins check box if you want to disable accounts based on account inactivity. You must select the Track failed logins check box if you want to disable accounts based on failed login attempts.
Specify the settings that determine how often a password must be changed in the Password expires if not changed group box.
Specify the settings that determine how many incorrect password attempts are permitted in the Incorrect Password group box.
Specify the settings that determine how long a password can remain inactive in Password expires from inactivity group box.
Note: If you do not need to configure passwords to expire from inactivity, we recommended that you do not set this option for performance reasons.
Click Submit to save the password policy or click another tab to continue working with the password policy.

Configure Password Composition

You configure password composition rules to control the character composition of newly created passwords.

Note: Composition rules are optional. If you do not want to enable a composition rule, leave the respective fields blank.

To configure password composition restrictions

Click the Composition tab.
Password composition settings open.

Note: Click Help for descriptions of settings and controls, including their respective requirements and limits.
Enter the minimum and maximum character length for passwords in the Minimum Length and Maximum Length fields.
Enter the maximum number of characters that can appear consecutively in a password in the Maximum field.
Specify the permissible characters types and the minimum requirements for each in the Content Minimum group box.
Click Submit.

Password Regular Expressions

Regular expression matching for passwords allows you to specify text patterns used for string matching that each password must match or not match to be considered valid.

For example, if you require the first character in the password be a digit but not be the last character, you can configure a regular expression to enforce this requirement and all passwords will be checked against it.

Regular Expressions Syntax

The following table describes the characters you can use for constructing regular expressions for password matching. This syntax is consistent with the regular expression syntax supported for resource matching when specifying realms.

All closure operators (+, *, ?) are greedy by default, meaning that they match as many elements of the string as possible without causing the overall match to fail. If you want a closure to be reluctant (non-greedy), follow it with a ’?’. A reluctant closure matches as few elements of the string as possible when finding matches.

The regular expression syntax is a s follows:

Characters	Results
\	Used to quote a meta-character (like ’*’)
\\	Matches a single ’\’ character
(A)	Groups subexpressions (affects order of pattern evaluation)
[abc]	Simple character class (any character within brackets matches the target character)
[a-zA-Z]	Character class with ranges (any character range within the brackets matches the target character)
[^abc]	Negated character class
.	Matches any character other than newline
^	Matches only at the beginning of a line
$	Matches only at the end of a line
A*	Matches A 0 or more times (greedy)
A+	Matches A 1 or more times (greedy)
A?	Matches A 1 or 0 times (greedy)
A*?	Matches A 0 or more times (reluctant)
A+?	Matches A 1 or more times (reluctant)
A??	Matches A 0 or 1 times (reluctant)
AB	Matches A followed by B
A\|B	Matches either A or B
\1	Backreference to 1st parenthesized subexpression
\n	Backreference to nth parenthesized subexpression

Limit: Each regular expression can contain no more than 10 subexpressions, including the expression itself. The number of subexpressions equals the number of left or opening parentheses in the regular expression plus one more left parenthesis for the expression itself.

Configure Regular Expression Matching

You configure regular expressions to specify text patterns that are used for string matching. A password must match or not match the expression to be valid. Each regular expression entry is a name/value pair consisting of a descriptive tag and expression definition.

Regular expression matching for passwords is optional. If you decide to use regular expression, you only specify entries for expressions that passwords must match or must not match. If you have no expression matching requirements, do not create any regular expression entries.

To configure regular expressions for passwords

In the Password Policy dialog, select the Regular Expressions tab.
You will see an empty table in the Regular Expressions group box.
Click Add to add an expression.
The Password Regular Expression dialog opens.
Select one of the following radio buttons:
- MUST Match
  If you select this option, define a regular expression that passwords must match.
- MUST NOT Match
  If you select this option, add an entry for each regular expression that passwords must not match.
Enter values for the fields.
Note: Click Help for descriptions of settings and controls, including their respective requirements and limits.
Click OK.
The regular expression is added to the table. If you selected MUST NOT match, you will see a checkbox in the NO Match column.

Configure Password Restrictions

You configure password restrictions to place restrictions on password usage. Restrictions include:

how long a user must wait before reusing a password
how different the password must be from ones previously used

You can also prevent users from specifying words that you determine are a security risk or contain users’ personal information.

Note: Restrictions are optional. If you do not want to enable a restriction, leave the respective fields blank.

To configure password restrictions

Click the Restrictions tab.
Password restriction settings open.

Note: Click Help for descriptions of settings and controls, including their respective requirements and limits.
Specify how much time must pass and/or how many new passwords must be created before an old password can be reused in the Reuse group box.
Note: If you specify both criteria, each must be satisfied before a user can reuse a password.

Example: A password policy requires users to wait 365 days and specify 12 passwords before reusing a password. After a year, if a user only supplied six passwords, the user would have to supply another six passwords before reusing the first password.
Specify how much a new password must differ from the previous password in the Change Required group box.
Specify the number of consecutive characters the password policy compares to personal information stored in user profiles in the Profile Attributes group box.
Specify the path to a user-defined dictionary of forbidden passwords and the length of the string compared against values in the dictionary in the Dictionary group box.
Click Apply to save the changes or click OK to save the changes and return to the Administrative UI.

Configure Advanced Password Options

You configure advanced password policy options to specify that submitted passwords be pre-processed before validation and storage. Advanced password policies let you assign a priority to a policy, which allows the predictable evaluation of multiple password policies that apply to the same user directory or namespace.

Note: Pre-processing options are optional. You should specify a unique password policy evaluation priority for each password policy that may be assigned to the user directory or namespace.

To configure advanced password options

Click the Advanced tab.
Advanced password policy settings open.

Note: Click Help for descriptions of settings and controls, including their respective requirements and limits.
Specify options to process submitted passwords prior to evaluation and storage in the Password Pre-Processing group box.
Note: You should specify identical pre-processing options for each password policy that is applied to the same user directory or namespace.
(Optional) If the password policy is one of multiple policies that applies to the same user directory or namespace, specify a the password policy priority in the Password Policy Priority group box.
Note: Evaluation priorities range from 0-999, where 999 is the highest.

Remove the Login ID When Redirecting for Password Services

During password services processing, a user request is redirected multiple times. When the request is redirected, the login ID (typically the username) which was entered by the user is appended to the request URL by default. To modify the default behavior so that the login ID (username) is not appended to redirects, you can do one of the following procedures.

To remove the login ID when redirecting for password services in Windows

Add the following registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Netegrity\SiteMinder\CurrentVersion\PolicyServer\DisallowUsernameInURL

Set the DWORD value to one of the following values:
- 0 — Applies the default behavior of appending the UID to the request URL.
- 1 — Changes the default behavior so that the UID is not appended to the request URL.

To remove the login ID when redirecting for password services in UNIX

Navigate to:
```
<policy-server-install-dir>/registry/
```
In a text editor, open the following file:
```
sm.registry
```

Add the following registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Netegrity\SiteMinder\CurrentVersion\PolicyServer\DisallowUsernameInURL

Set the DWORD value to one of the following values:
- 0 — Applies the default behavior of appending the UID to the request URL.
- 1 — Changes the default behavior so that the UID is not appended to the request URL.

CA Directory Password Policy Control

You can configure the Policy Server to honor the CA Directory password policies. The Policy Server, together with a properly configured Web Agent, can send end-users configured warnings and notifications that are based on the directory password policies.

The following CA Directory password policies are supported:

Native password expiration.
To use this feature, do one of the following options:
- Do not set the Policy Server password policy for password expiration.
- Configure the policy settings for expiration and warnings so they are less restrictive than the settings in the CA directory password policy.
User account lock-out settings.
If you use the CA Directory settings, disable the Policy Server account lock-out feature.
Password expiration warnings.
Notification of the remaining grace logins, if the client can recognize the password message code for the grace login message.
The Policy Server has no notion of grace logins remaining.

To allow the use of CA Directory password policies:

Define a CA SiteMinder® password policy that refers to the CA Directory where your users reside.
Use the XPSConfig tool and set the configuration parameter CA.SM::$LdapEnablePwdCtrlSupport to true.
To use the tool, refer to the XPSConfig instructions.