| Task | Required Privilege Class |
|---|---|
| Set password authentication
Set password expiration Set password invalid attempt limit Set password minimum length | System |
To ensure that only authorized administrators and client nodes are communicating with an authorized server, you can require the use of passwords. You can also require that users regularly change their passwords.
At installation, ADSM automatically sets password authentication on. With password authentication set to on, all users must enter a password when accessing the server. To allow administrators and client nodes to access ADSM without entering a password, issue the following command:
set authentication off
Attention: Setting password authentication off reduces data security.
At installation, the timeout default value for the administrative web interface is 10 minutes. When the timeout period expires, the user of the web interface is required to reauthenticate by logging on and specifying a password. The following example shows how to set the timeout value to 20 minutes:
set webauthtimeout 20
You can specify a value from 0 to 9999 minutes. If the minimum value is 0, there is no timeout period for the administrative web interface. To help ensure the security of an unattended browser, it is recommended that you set the timeout value higher than zero.
At installation, ADSM sets a password expiration of 90 days. You can reset the expiration period from 1 to 9999 days. For example, to set the expiration period to 120 days, issue the following command:
set passexp 120
The expiration period begins when an administrator or client node is first registered to the server. If a user password is not changed within this period, the server prompts the user to change the password the next time the user tries to access the server.
You can set a limit on consecutive invalid password attempts for all client nodes. When the limit is exceeded, the server locks the client node. The following example sets a system-wide limit of three consecutive invalid password attempts:
set invalidpwlimit 3
The default value at installation is 0. A value of 0 means that invalid password attempts are not checked. You can set the value from 0 to 9999 attempts.
If you initially set a limit of 4 and then change the limit to a lower number, some clients may fail verification during the next log in attempt.
To regain access to the server, a storage administrator with proper authority can unlock the node. For information about unlocking a client or administrator node, see "Locking and Unlocking Client Nodes" and "Locking and Unlocking Administrators from the Server". An administrator can also force a client to change their password on the next login by specifying the FORCEPWRESET=YES parameter on the UPDATE NODE or UPDATE ADMIN command. For more information, refer to ADSM Administrator's Reference.
You can specify a minimum password length that is required for client nodes. The following example shows how to set the minimum password length to eight:
set minpwlength 8
The default value at installation is 0. A value of 0 means that password length is not checked. You can set the length value from 0 to 64.