0% found this document useful (0 votes)
322 views7 pages

Password Policy Configuration Options

SAP HANA Security Guide - SAP Library

Uploaded by

ivan
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
322 views7 pages

Password Policy Configuration Options

SAP HANA Security Guide - SAP Library

Uploaded by

ivan
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 7

17/3/2017 PasswordPolicyConfigurationOptionsSAPHANASecurityGuideSAPLibrary

TheBestRunBusinessesRunSAP

TechnologyPlatform SAPHANAPlatform SAPHANAPlatformCore2.0SPS00

PasswordPolicyConfigurationOptions
The PasswordPolicyandBlacklist pageintheSAPHANAcockpitandthe Security editorintheSAPHANA
studioallowyoutoviewthepasswordpolicyandtochangeitsdefaultconfiguration.
Thepasswordpolicyisdefinedbyparametersinthe passwordpolicy sectionoftheindexserver.ini
configurationfile.Thefollowingsectionsdescribetheseparameters,whichcorrespondtotheconfiguration
optionsavailableintheSAPHANAcockpitandtheSAPHANAstudio.

Note
Thepasswordpolicyparametersforthesystemdatabaseofamultiplecontainersystemaremaintainedin
thenamesever.inifile,nottheindexserver.inifile.

MinimumPasswordLength
LowercaseLetter/UppercaseLetter/NumericalDigit/SpecialCharacterRequired
PasswordChangeRequiredonFirstLogon
NumberofLastUsedPasswordsThatCannotBeReused
NumberofAllowedFailedLogonAttempts
UserLockTime
MinimumPasswordLifetime
MaximumPasswordLifetime
LifetimeofInitialPassword
MaximumDurationofUserInactivity
NotificationofPasswordExpiration
ExemptSYSTEMUserfromLocking
DetailedErrorInformationonFailedLogon

MinimumPasswordLength
Theminimumnumberofcharactersthatthepasswordmustcontain

Parameter minimal_password_length

DefaultValue 8(characters)

AdditionalInformation Youmustenteravaluebetween6and64.

UILabel MinimumPasswordLength

http://helplegacy.sap.com/saphelp_hanaplatform/helpdata/en/61/662e3032ad4f8dbdb5063a21a7d706/content.htm#id_w5w_jkl_45 1/7
17/3/2017 PasswordPolicyConfigurationOptionsSAPHANASecurityGuideSAPLibrary

LowercaseLetter/UppercaseLetter/NumericalDigit/Special
CharacterRequired
Thecharactertypesthatthepasswordmustcontainatleastonecharacterofeachselectedcharactertypeis
required

Parameter password_layout

DefaultValue Aa1

AdditionalInformation Thefollowingcharactertypesarepossible:
Lowercaseletter(az)
Uppercaseletter(AZ)
Numericaldigits(09)
Specialcharacters(underscore(_),hyphen(),andsoon)
Anycharacterthatisnotanuppercaseletter,alowercaseletter,ora
numericaldigitisconsideredaspecialcharacter.
Thedefaultconfigurationrequirespasswordstocontainatleastone
uppercaseletter,atleastonenumber,andatleastonelowercaseletter,with
specialcharactersbeingoptional.

Note
Passwordscontainingspecialcharactersotherthanunderscoremustbe
enclosedindoublequotes(").TheSAPHANAStudiodoesthis
automatically.Whenapasswordisenclosedindoublequotes("),any
Unicodecharactersmaybeused.

Caution
Theuseofpasswordsenclosedindoublequotes(")maycauselogon
issuesdependingontheclientused.TheSAPHANAStudio,forexample,
supportspasswordsenclosedindoublequotes("),whiletheSAPHANA
HDBSQLcommandlinetooldoesnot.

Note
Ifconfiguringthisoptionintheindexserver.inifileusingthe
password_layout parameter,youcanuseanyspecificletters,numbers
andspecialcharacters,andthecharacterscanbeinanyorder.For
example,thedefaultvalueexamplecouldalsoberepresentedbya1A,
hQ5,or9fG.Ifyouwanttoenforcetheuseofatleastoneofeach
charactertypeincludingspecialcharacters,youspecifyA1a_or2Bg?.

UILabels LowercaseLetter/UppercaseLetter/NumericalDigit/SpecialCharacter
Required

PasswordChangeRequiredonFirstLogon
Defineswhetherusershavetochangetheirinitialpasswordsimmediatelythefirsttimetheylogon

http://helplegacy.sap.com/saphelp_hanaplatform/helpdata/en/61/662e3032ad4f8dbdb5063a21a7d706/content.htm#id_w5w_jkl_45 2/7
17/3/2017 PasswordPolicyConfigurationOptionsSAPHANASecurityGuideSAPLibrary

Parameter force_first_password_change

DefaultValue True

AdditionalInformation Ifthisparameterissettotrue,userscanstilllogonwiththeinitialpassword
buteveryactiontheytrytoperformwillreturntheerrormessagethattheymust
changetheirpassword.
Ifthisparameterissettofalse,usersarenotforcedtochangetheirinitial
passwordimmediatelythefirsttimetheylogon.However,ifauserdoesnot
changethepasswordbeforethenumberofdaysspecifiedintheparameter
maximum_unused_initial_password_lifetime ,thenthepasswordstillexpires
andmustberesetbyauseradministrator.
Auseradministrator(thatis,auserwiththesystemprivilegeUSERADMIN)
canforceausertochangehisorherpasswordatanytimewiththefollowing
SQLstatement:ALTERUSER <user_name> FORCEPASSWORDCHANGE
Auseradministratorcanoverridethispasswordpolicysettingforindividual
users(forexample,technicalusers)withthefollowingSQLstatement:
CREATEUSER <user_name> PASSWORD <password> [NO
FORCE_FIRST_PASSWORD_CHANGE]
ALTERUSER <user_name> PASSWORD <password> [NO
FORCE_FIRST_PASSWORD_CHANGE]

UILabel PasswordChangeRequiredonFirstLogon

NumberofLastUsedPasswordsThatCannotBeReused
Thenumberoflastusedpasswordsthattheuserisnotallowedtoreusewhenchanginghisorhercurrent
password

Parameter last_used_passwords

DefaultValue 5(previouspasswords)

AdditionalInformation Ifyouenterthevalue0,theusercanreusehisorheroldpassword.

UILabel NumberofLastUsedPasswordsThatCannotBeReused

NumberofAllowedFailedLogonAttempts
Themaximumnumberoffailedlogonattemptsthatarepossibletheuserislockedassoonasthisnumberis
reached

Parameter maximum_invalid_connect_attempts

DefaultValue 6(failedlogonattempts)

AdditionalInformation Youmustenteravalueofatleast1.
Auseradministratorcanresetthenumberofinvalidlogonattemptswiththe
followingSQLstatement:ALTERUSER <user_name> RESETCONNECT
ATTEMPTS

http://helplegacy.sap.com/saphelp_hanaplatform/helpdata/en/61/662e3032ad4f8dbdb5063a21a7d706/content.htm#id_w5w_jkl_45 3/7
17/3/2017 PasswordPolicyConfigurationOptionsSAPHANASecurityGuideSAPLibrary

Thefirsttimeauserlogsonsuccessfullyafteraninvalidlogonattempt,an
entryismadeintheINVALID_CONNECT_ATTEMPTSsystemviewcontaining
thefollowinginformation:
Thenumberofinvalidlogonattemptssincethelastsuccessfullogon
Thetimeofthelastsuccessfullogon
Auseradministratorcandeleteinformationaboutinvalidlogonattemptswith
thefollowingSQLstatement:ALTERUSER <user_name> DROPCONNECT
ATTEMPTS

Recommendation
Createanauditpolicytologactivityinthe
INVALID_CONNECT_ATTEMPTSsystemview.Forexample,createan
auditpolicythatlogsdataqueryandmanipulationstatementsexecuted
onthisview.

Note
AlthoughthisparameterisnotvalidfortheSYSTEMuser,theSYSTEM
userwillstillbelockediftheparameter password_lock_for_system_user
issettotrue.If password_lock_for_system_user issettofalse,the
SYSTEMuserwillnotbelockedregardlessofthenumberoffailedlogon
attempts.

UILabel NumberofAllowedFailedLogonAttempts

UserLockTime
Thenumberofminutesforwhichauserislockedafterthemaximumnumberoffailedlogonattempts

Parameter password_lock_time

DefaultValue 1440(minutes)

AdditionalInformation Ifyouenterthevalue0,theuserisunlockedimmediately.Thisdisablesthe
functionalityofparameter maximum_invalid_connect_attempts .
Auseradministratorcanresetthenumberofinvalidlogonattemptsand
reactivatetheuseraccountwiththefollowingSQLstatement:ALTERUSER
<user_name> RESETCONNECTATTEMPTS.Itisalsopossibletoreactivate
theuserintheusereditoroftheSAPHANAStudio.
Tolockauserindefinitely,enterthevalue1.Onthe PasswordPolicyand
Blacklist pageoftheSAPHANAcockpitorinthe Security editoroftheSAP
HANAstudio,thiscorrespondstoselectingthe LockUserIndefinitely
checkbox.Theuserremainslockeduntilreactivatedbyauseradministrator
asdescribedabove.

UILabel UserLockTime

MinimumPasswordLifetime

http://helplegacy.sap.com/saphelp_hanaplatform/helpdata/en/61/662e3032ad4f8dbdb5063a21a7d706/content.htm#id_w5w_jkl_45 4/7
17/3/2017 PasswordPolicyConfigurationOptionsSAPHANASecurityGuideSAPLibrary

Theminimumnumberofdaysthatmustelapsebeforeausercanchangehisorherpassword

Parameter minimum_password_lifetime

DefaultValue 1(day)

AdditionalInformation Ifyouenterthevalue0,thepasswordhasnominimumlifetime.

UILabel MinimumPasswordLifetime

MaximumPasswordLifetime
Thenumberofdaysafterwhichauser'spasswordexpires

Parameter maximum_password_lifetime

DefaultValue 182(days)

AdditionalInformation Youmustenteravalueofatleast1.
Auseradministratorcanexcludeusersfromthispasswordcheckwiththe
followingSQLstatement:ALTERUSER <user_name> DISABLEPASSWORD
LIFETIME.However,thisisrecommendedonlyfortechnicalusersonly,not
databaseusersthatcorrespondtorealpeople.
Auseradministratorcanreenablethepasswordlifetimecheckforauserwith
thefollowingSQLstatement:ALTERUSER <user_name> ENABLE
PASSWORDLIFETIME.

UILabel MaximumPasswordLifetime

LifetimeofInitialPassword
Thenumberofdaysforwhichtheinitialpasswordoranypasswordsetbyauseradministratorforauseris
valid

Parameter maximum_unused_initial_password_lifetime

DefaultValue 7(days)

AdditionalInformation Youmustenteravalueofatleast1.
Ifauserhasnotloggedonusingtheinitialpasswordwithinthegivenperiod
oftime,theuserwillbedeactivateduntiltheirpasswordisreset.

Note
InSAPHANA1.0SPS12andearlier,thisparameterwasmisspelledas
maximum_unused_inital_password_lifetime .Ifthisparameterhada
userspecifiedvaluebeforeupgrade,thisvaluewillbesetasthevalueof
theparameter maximum_unused_initial_password_lifetime .The
misspelledparameterisunsetanddisappearsfromthecustom
configurationfile.

http://helplegacy.sap.com/saphelp_hanaplatform/helpdata/en/61/662e3032ad4f8dbdb5063a21a7d706/content.htm#id_w5w_jkl_45 5/7
17/3/2017 PasswordPolicyConfigurationOptionsSAPHANASecurityGuideSAPLibrary

UILabel LifetimeofInitialPassword

MaximumDurationofUserInactivity
Thenumberofdaysafterwhichapasswordexpiresiftheuserhasnotloggedon

Parameter maximum_unused_productive_password_lifetime

DefaultValue 365(days)

AdditionalInformation Youmustenteravalueofatleast1.
Ifauserhasnotloggedonwithinthegivenperiodoftimeusingany
authenticationmethod,theuserwillbedeactivateduntiltheirpasswordis
reset.

UILabel MaximumDurationofUserInactivity

NotificationofPasswordExpiration
Thenumberofdaysbeforeapasswordisduetoexpirethattheuserreceivesnotification

Parameter password_expire_warning_time

DefaultValue 14(days)

AdditionalInformation Notificationistransmittedviathedatabaseclient(ODBCorJDBC)anditisup
totheclientapplicationtoprovidethisinformationtotheuser.
Ifyouenterthevalue0,theuserdoesnotreceivenotificationthathisorher
passwordisduetoexpire.
Thesystemalsomonitorswhenuserpasswordsareduetoexpireandissues
amediumpriorityalert(check62).Thismaybeusefulfortechnicaldatabase
userssincepasswordexpirationresultsintheuserbeinglocked,whichmay
affectapplicationavailability.Itisrecommendedthatyoudisablethepassword
lifetimecheckoftechnicaluserssothattheirpasswordneverexpires.For
moreinformationabouthowtodisablethischeck,seeSAPNote1991615.

UILabel NotificationofPasswordExpiration

ExemptSYSTEMUserfromLocking
IndicateswhetherornottheuserSYSTEMislockedforthespecifiedlocktime( password_lock_time )after
themaximumnumberoffailedlogonattempts( maximum_invalid_connect_attempts )

Parameter password_lock_for_system_user

DefaultValue true

http://helplegacy.sap.com/saphelp_hanaplatform/helpdata/en/61/662e3032ad4f8dbdb5063a21a7d706/content.htm#id_w5w_jkl_45 6/7
17/3/2017 PasswordPolicyConfigurationOptionsSAPHANASecurityGuideSAPLibrary

UILabel ExemptSYSTEMUserfromLocking

DetailedErrorInformationonFailedLogon
Indicatesthedetailleveloferrorinformationreturnedwhenalogonattemptfails

Parameter detailed_error_on_connect

DefaultValue false

AdditionalInformation Ifsettofalse,onlytheinformationauthenticationfailedisreturned.
Ifsettotrue,thespecificreasonforfailedlogonisreturned:
Invaliduserorpassword
Userislocked
Connecttryisoutsidevalidityperiod
Userisdeactivated

UILabel DetailedErrorInformationonFailedLogon

RelatedInformation
ExecuteSQLStatementsinSAPHANAStudio
CreateanAuditPolicy
SAPNote1991615

C OPYR I GH T BY SAP SE OR AN SAP AF F I LI AT E C OM PAN Y. ALL R I GH T S R ESER VED . PR I N T ED F R OM SAP H ELP POR TAL.

(ht t p: / / help. s ap. c om )

http://helplegacy.sap.com/saphelp_hanaplatform/helpdata/en/61/662e3032ad4f8dbdb5063a21a7d706/content.htm#id_w5w_jkl_45 7/7

You might also like