Skip to content
CA API Gateway - 9.2
Documentation powered by DocOps

Manage Password Policy

Last update December 9, 2015

A password policy defines the rules for password use in the Policy Manager, such as the length of a password, characters that must be included, when the password expires, how often passwords can be reset, etc. The password policy applies to all areas where user passwords are specified, such as when a user account is created, when a password is reset or changed, or when users are asked to reset their passwords at login.

The password policy applies to internal users of the Internal Identity Provider regardless of whether their accounts will be used to authenticate message traffic or for CA API Gateway administration.

An administrative user is a person with an account in the Policy Manager that allows them access to the CA API Gateway. Changes to the password policy do not apply to existing administrative users until they change their password. A password reset can be forced using the Force Administrative Password Reset feature.

Managing passwords require either the Administrator or the Manage Password Policies role. For more information about roles, see Predefined Roles and Permissions.

To manage password policy:

  1. In the Policy Manager, do one of the following:
    • Right click Internal Identity Provider in the [Identity Providers] tab, and select Manage Password Policy.
    • On the Main Menu, select [Tasks] > Users and Authentication > Manage Password Policy  (on the browser client, from the Manage menu).
     The Internal Identity Provider Password Policy dialog displays. 
  2. Configure this dialog as follows:

    Setting

    Description

    Force password change for new user and reset

    Select this check box to force a password change upon next login for the following users:Administrative user accounts logging on for the first time

    • Administrative user accounts that have had their passwords reset by an administrator

    This does not apply when users change their own passwords.

    When a password is reset by an administrator, or when a new account is created, some password rules are temporarily relaxed. The password itself must satisfy the password requirements; however, the following rules will be temporarily ignored:

    • Character difference
    • Password Repeat Frequency
    • Allow One Password Change Per 24 Hours

    Selecting the Force password change for new user and reset check box ensures that all password rules are met before users can access the CA API Gateway for administrative purposes.

    The forced password change will not apply to users who log in with certificates. However, if a certificate is revoked, a password change will be required at the user's next login.

    Tip: To force all administrative users on an Internal Identity provider to reset their passwords, see Force Administrative Password Reset.

    Minimum Password Length

    Enter the minimum number of characters, between 3 and 128, required for the password.

    Default: 8

    Maximum Password Length

    Enter the maximum allowable number of characters for the password. This number must be between 3 and 128.

    Default: 32

    Password Repeat Frequency

    Enter the number of times, between 1 and 50, that a new password must be different from the current password. For example, if 10 is selected, the next 10 passwords must be different from the current password.

    Default: 10

    Password Expiry

    Enter the number of days, between 1 and 1825, before the active password expires.

    Default: 90 days

    Allow One Password Change Per 24 Hours

    Select this check box to limit the number of password changes a user can make to one every 24 hours.

    Clear this check box to allow a user unlimited password changes within a 24 hour period.

    Note: Administrator are exempt from this password rule.

    Required Password Characters

    This section lets you specify what characters are allowed in a password and the minimum occurrence of these characters.

    Select each check box to enforce the rule. When a check box is selected, the minimum value is 1, and the combined maximum of all minimum character requirements is the current value for "Minimum Password Length" to ensure a valid password can be created.

    • uppercase A-Z: Select this check box to set the number of uppercase letters (A-Z) required for the password. When this check box is selected, the default value of 1 is automatically applied.

    Clear this check box to not enforce the use of uppercase letters in the password.

    • lowercase a-z: Select this check box to set the number of lowercase letters (a-z) required for the password. When this check box is selected, the default value of 1 is automatically applied.

    Clear this check box to not enforce the use of lowercase letters in the password.

    • numbers 0-9: Select this check box to set how many numbers (0-9) are required for the password. When this check box is selected, the default value of 1 is automatically applied.

    Clear this check box to not enforce the use of numbers in the password.

    • symbol: Select this check box to set how many symbol characters (!@#$%^&*-) are required for the password. When this check box is selected, the default value of 1 is automatically applied.

    Clear this check box to not enforce the use of symbols in the password.

    • non-numeric: Select this check box to set the minimum number of non-numeric characters (not 0-9). Letters and symbols count. When this check box is selected, the default value of 1 is automatically applied

    Clear this check box to not enforce the use of non-numeric characters in the password.

    • character difference: Select this check box to set the number of physical characters that must be different from the last password. When this check box is selected, the CA API Gateway will reject any new password that does not contain the set number of new characters. For example, if this value is set to "2" and the previous password is "7layer", the CA API Gateway will reject the new password "layer7" but will accept "8player" because it contains a difference of more than two characters.

    Clear this check box to not enforce the use of character difference in the password.

    • no repeating characters: Select this check box to disallow repeating characters in a password to prevent a password like 'aaa' being accepted.

    Clear this check box to allow the use of repeating characters in the password.

    Note: Default values for these fields come from the STIG minimum settings. For more information, see the description for "Reset to STIG Minimum" below.

    Reset to PCI-DSS Minimum

    Click this button to quickly reset the password policy to the minimum Payment Card Industry Data Security Standard (PCI DSS) settings as defined by the Payment Card Industry Security Standards Council.

    Reset to STIG Minimum

    Click this button to quickly reset the password policy to the minimum Secure Technical Implementation Guide (STIG) settings, as defined by the Defense Information Systems Agency (DISA), a support agency to the United States Department of Defense

  3. Click [OK] when done.
Was this helpful?

Please log in to post comments.