Troubleshooting Password Issues

This topic describes how to unlock, reset, or change the passwords for an account on your gateway. It also describes the password rules enforced for the ssgconfig and root accounts.
gateway92
This topic describes how to unlock, reset, or change the passwords for an account on your
CA API Gateway
. It also describes the password rules enforced for the
ssgconfig
and
root
accounts.
This topic applies only to Appliance Gateways.
To maintain the security of your
API Gateway
 appliance, stringent password rules are enforced for the
ssgconfig
and
root
user accounts.
The stringent rules apply only to the 
ssgconfig
 and 
root
 user accounts. Other passwords used by the Gateway are not affected and will not be locked out after unsuccessful attempts.
Password Rules
You are required to change the password for the
ssgconfig
and
root
accounts upon first use and every 60 days thereafter. The new password must adhere to the following rules:
  • Minimum 9 characters in length
  • Contains at least two upper and two lowercase characters
  • Contains at least two digits
  • Contains at least two special characters
The new password must not be a repeat of any of the five most recent passwords and at least 24 hours must have elapsed since the last password change.
Gateway Automatic Locking
The Gateway automatically locks the 
ssgconfig
 or 
root
 account after five unsuccessful login attempts. To restore 
ssgconfig
 access, see "unlock_ssgconfig" below. A locked 
root
 account is unlocked automatically after 20 minutes. This is the easiest way to restore
root
access. If you need to restore root access immediately, refer to this article from the CA Support site: Managing the Gateway appliance privileged (root) account
.
Unlocking the Root Account Immediately on UEFI Servers
Servers that use UEFI (Oracle X7-2 or later) instead of BIOS have a different process from what is described under "Unlocking the Account" in the Managing the Gateway appliance privileged (root) account article.
Use these steps instead:
  1. C
    onnect to the server using ILOM. Choose
    serial
    redirection, not 'video' redirection.
  2. Restart the Gateway appliance and press any key when prompted to enter the menu.
  3. Press '
    a
    ' to modify the kernel command. You should see something similar to this:
    <S.UTF-8 rhgb quiet console=tty0 console=ttyS0,9600n8
  4. Remove '
    rhgb quiet
    ' and add '
    1
    ' to the end of the line. Using the example above, the modified line should look like this:
    <S.UTF-8 console=tty0 console=ttyS0,9600n8 1
  5. Press
    Enter
    to save. You should see the root user login prompt.
  6. Log in using the root password that was locked.
  7. Once logged in, reset the root user tally counter with this command:
    pam_tally2 --user root --reset
Unlocking the SSGCONFIG Account
Re-enabling the
ssgconfig
account requires physical access to the Gateway appliance and knowledge of the root password.
To unlock the ssgconfig account:
  1. At the console, log in as the
    root
    user.
  2. Type the following command at the command prompt:
    # pam_tally2 --user ssgconfig --reset
You may now log in using the
ssgconfig
account. Note that lockout will again occur after five unsuccessful attempts.
Changing the SSGCONFIG Password
Changing the
ssgconfig
password requires physical access to the Gateway appliance and knowledge of the root password. You cannot change the password for an 
ssgconfig
account that is currently locked.
To change the ssgconfig password:
  1. At the console, log in as the
    root
    user.
  2. Type the following command at the command prompt:
    # passwd ssgconfig
Follow the prompts on the screen to change the password. The new password must conform to the “Password Rules” listed above.
Resetting the Administrative Password
This section describes how to reset the administrative password for the initial Policy Manager administrator account.
This only works for the administrative user that was created initially when the Gateway was configured. It is not intended to be used as a general-purpose password manipulation application (you can use the Gateway REST API for this—see  REST Management API).
To reset the administrative password:
  1. Access the Gateway main menu for your form factor: software.
  2. Access the password reset option as follows:
    • For Appliance Gateways, select option
      2
      (Display CA API Gateway configuration menu) and then option
      8
      (Reset Admin password).
    • For Software Gateways, selection option
      6
      (Reset Admin password).
  3. Enter the administrative user name.
  4. Enter the new administrative user password. The password is reset.