Troubleshooting Password Issues
This topic describes how to unlock, reset, or change the passwords for an account on your gateway. It also describes the password rules enforced for the ssgconfig and root accounts.
This topic describes how to unlock, reset, or change the passwords for an account on your
Layer7 API Gateway. It also describes the password rules enforced for the
This topic applies only to Appliance Gateways.
To maintain the security of your
API Gatewayappliance, stringent password rules are enforced for the
The stringent rules apply only to the
rootuser accounts. Other passwords used by the Gateway are not affected and will not be locked out after unsuccessful attempts.
You are required to change the password for the
rootaccounts upon first use and every 60 days thereafter. The new password must adhere to the following rules:
- Minimum 9 characters in length
- Contains at least two upper and two lowercase characters
- Contains at least two digits
- Contains at least two special characters
The new password must not be a repeat of any of the five most recent passwords and at least 24 hours must have elapsed since the last password change.
Gateway Automatic Locking
The Gateway automatically locks the
rootaccount after five unsuccessful login attempts. To restore
ssgconfigaccess, see "unlock_ssgconfig" below. A locked
rootaccount is unlocked automatically after 20 minutes. This is the easiest way to restore
rootaccess. If you need to restore root access immediately, refer to this article from the CA Support site: Managing the Gateway appliance privileged (root) account
Unlocking the Root Account Immediately on UEFI Servers
Servers that use UEFI (Oracle X7-2 or later) instead of BIOS have a different process from what is described under "Unlocking the Account" in the Managing the Gateway appliance privileged (root) account article.
Use these steps instead:
- Connect to the server using ILOM. Chooseserialredirection, not 'video' redirection.
- Restart the Gateway appliance and press any key when prompted to enter the menu.
- Press 'a' to modify the kernel command. You should see something similar to this:<S.UTF-8 rhgb quiet console=tty0 console=ttyS0,9600n8
- Remove 'rhgb quiet' and add '1' to the end of the line. Using the example above, the modified line should look like this:<S.UTF-8 console=tty0 console=ttyS0,9600n8 1
- PressEnterto save. You should see the root user login prompt.
- Log in using the root password that was locked.
- Once logged in, reset the root user tally counter with this command:pam_tally2 --user root --reset
Unlocking the SSGCONFIG Account
ssgconfigaccount requires physical access to the Gateway appliance and knowledge of the root password.
To unlock the ssgconfig account:
- At the console, log in as therootuser.
- Type the following command at the command prompt:# pam_tally2 --user ssgconfig --reset
You may now log in using the
ssgconfigaccount. Note that lockout will again occur after five unsuccessful attempts.
Changing the SSGCONFIG Password
ssgconfigpassword requires physical access to the Gateway appliance and knowledge of the root password. You cannot change the password for an
ssgconfigaccount that is currently locked.
To change the ssgconfig password:
- At the console, log in as therootuser.
- Type the following command at the command prompt:# passwd ssgconfig
Follow the prompts on the screen to change the password. The new password must conform to the “Password Rules” listed above.
Resetting the Administrative Password
This section describes how to reset the administrative password for the initial Policy Manager administrator account.
This only works for the administrative user that was created initially when the Gateway was configured. It is not intended to be used as a general-purpose password manipulation application (you can use the Gateway REST API for this—see REST Management API).
To reset the administrative password:
- Access the Gateway main menu for your form factor: software.
- Access the password reset option as follows:
- For Appliance Gateways, select option2(Display CA API Gateway configuration menu) and then option8(Reset Admin password).
- For Software Gateways, selection option6(Reset Admin password).
- Enter the administrative user name.
- Enter the new administrative user password. The password is reset.