Safeguard Administrator's Manual (G06.29+, H06.08+, J06.03+)

ManualsBrandsHP ManualsServerHP NonStop G-Series

121

122

123

124

125

126

127

128

129

130

Configuration

Safeguard Administrator’s Manual—523317-029

9-15

Configuring Password Control

PASSWORD-ALGORITHM

Indicates the algorithm to encrypt passwords when they are changed. The initial

value is DES.

DES

Indicates to use the DES algorithm to encrypt passwords. This is the initial

value. Encrypted passwords are stored in the L/USERID and L/USERAX files.

HMAC256

Indicates to use HMAC with SHA-256 algorithm to encrypt passwords, when

PASSWORD-ENCRYPT is ON. Encrypted passwords are stored in the

L/USERAX files.

To change any of these values, issue the ALTER SAFEGUARD command from

SAFECOM. For example, to maintain a history of the last 10 passwords for each user

(and not allow reuse of these passwords):

=ALTER SAFEGUARD, PASSWORD-HISTORY 10

To grant users a 15-day grace period during which they can change their expired

passwords during logon:

=ALTER SAFEGUARD, PASSWORD-EXPIRY-GRACE 15 DAYS

You can change more than one attribute with a single command. To require a minimum

password length of six characters and to have passwords encrypted:

=ALTER SAFEGUARD, PASSWORD-MINIMUM-LENGTH 6, &

=PASSWORD-ENCRYPT ON

Note. This attribute is supported only on systems running H06.06 and later H-series RVUs and

G06.29 and later G-series RVUs.

Note. Each time a user password is changed or the user PASSWORD-MUST-CHANGE period

is changed, the Safeguard software uses the PASSWORD-MAY-CHANGE value to calculate

the new date on which that user password can be changed. It also calculates a PASSWORD-

EXPIRES date for the user based on the PASSWORD-MUST-CHANGE period defined in the

user authentication record. A user can change the password anytime between the

PASSWORD-MAY-CHANGE date and the PASSWORD-EXPIRES date. These dates are

calculated differently depending on who changes the password.

If the user changes the password, the PASSWORD-EXPIRES date is calculated by adding the

PASSWORD-MUST-CHANGE period to the current date. The PASSWORD-MAY-CHANGE

date is calculated by subtracting the PASSWORD-MAY-CHANGE period from the

PASSWORD-EXPIRES date.

If the owner of the user authentication record changes the password, the PASSWORD-MAY-

CHANGE date is set to *NONE* so that the user can change the password immediately. In this

instance, the PASSWORD-EXPIRES date is calculated by adding the PASSWORD-MUST-

CHANGE period to the current date.