Configure Password Settings

This section describes how to configure Password Issuance profiles and Password Authentication Policies for CA Strong Authentication:
aa813test
This section describes how to configure Password Issuance profiles and Password Authentication Policies for CA Strong Authentication:
2
Configure Password Issuance Profile
A Password profile can be used to specify the following attributes of a password credential:
  • Password strength
    : The effectiveness of a password, determined by the length of the password and number of alphabetic, numeric, and special characters in it.
  • Validity period
    : The period for which the password credential is valid.
  • Auto-generate password
    : CA Strong Authentication Server generates the password.
  • Usage count
    : Number of times the password can be used.
  • Usage type and password uniqueness
    : Based on the usage requirement, a user can have multiple password credentials. For example, a user has a temporary password and a permanent password. These passwords can be same or unique.
By configuring a Password profile and assigning it to one or more organizations, you can control the characteristics of password credentials that are issued to users of those organizations. Use the Password Profiles page for creating password credential profiles.
Follow these steps:
  1. Click the Services and Server Configurations tab on the main menu.
  2. Ensure that the CA Strong Authentication tab in the submenu is active.
  3. Under the Password section, click the Issuance link to display the Password Profiles page.
  4. Edit the fields in the Profile Configurations section, as required.
    • Profile Configurations:
    • Create
      To create a new profile:
      • Select the Create option.
      • Specify the Configuration Name of the new profile in the field that appears.
    • Update
      To update an existing profile, then select the profile that you want to update from the Select Configuration list.
    • Copy Configuration
      Enable this option if you want to create the profile by copying the configurations from an existing profile.
      Note: 
      You can also copy from configurations that belong to other organizations that you have scope on.
    • Available Configurations
      Select the profile from which the configurations are copied.
    • Validity Start Date
      Set the date from when the issued password credential is valid.
      The validity can start from either the date when this credential is created or you can specify a custom date.
    • Validity End Date
      Set the date when the password expires.
      You can use the following options to set the expiration date:
      • Specify the duration
      • Specify a custom date
      Choose "Never Expires" option if you want the password not to expire.
    • Password Strength Options:
    • Minimum Characters
      Specify the least number of characters that the password can contain. You can set a value from 4 through 64 characters.
      The default value is 6.
    • Maximum Characters
      Specify the most number of characters that the password can contain. You can set a value from 4 through 64 characters.
      The default value is 10.
    • Minimum Alphabetic Characters
      Specify the least number of alphabetic characters (a-z and A-Z) that the password can contain.
      This value must be lesser than or equal to the value specified in the Minimum Characters field.
    • Minimum Numeric Characters
      Specify the least number of numeric characters (0 through 9) that the password can contain. You can set a value from 0 through 32 characters.
    • Minimum Special Characters
      Specify the least number of special characters that the password can contain. By default, all the special characters excluding ASCII (0-31) characters are allowed.
  5. Expand the 
    Advanced Configurations
     section by clicking the 
    [+]
     sign.
  6. In the
     Custom Attributes
     section, specify any extra information in the 
    Name
    -
    Value
     pair format. For example, the organization information that plug-ins can use.
  7. Set the following values in the 
    User Validations
     section:
    • Select the 
      User Active
       option if you want to verify the user status for the following operations involving the current credential:
      • Create credential
      • Reissue credential
      • Reset credential
      • Reset validity of the credential
    • Select the 
      User Attribute
       option if you want to verify whether the user attribute matches certain values. You can set the value for the following user attributes:
      • Date when the user was created
      • Date when the user details were modified
      • Email address
      • First name
      • Middle name
      • Last name
      • User status
      • Telephone number
      • Unique user identifier
      The User attribute check feature is available
      only
      if you are performing configurations at the organization-level.
  8. Set the following options in the 
    Additional Password Options
     section:
    • Enable 
      Auto-Generate Password 
      option if you want the CA Strong Authentication Server to generate the user passwords. This feature can be used in scenarios where a user forgets their password, the Server can auto-generate a new password, and the user can use this new password for the next login.
    • In the 
      Usage Count
       option, select 
      Unlimited
       if you want the password to be valid until it expires. If you want to limit the number of times the password is used, then enter the number of times in the second option.
  9. Set the following values in the 
    Multiple Credential Options
     section:
    • Enter the description to identify the purpose for which the password is used in the 
      Usage Type
       field. For example, a user can have a temporary password to perform a remote login to the network, the usage type for this password can be 
      temporary
      .
    • Enable 
      Password Unique Across Usage Types
       option if the passwords of different usage types must be unique.
  10. The 
    History Validation
     section enables you to prevent users from reusing old passwords. You can select any of the following options:
    • Last <N> Passwords
      : Select this option, if you want the current password to be different from the last 
      <n>
       passwords.
    • Password Created in Last
      : Select this option, if you want the current password to be different from the passwords that are used in the specified duration.
  11. Click Save.
  12. Refresh 
    all
     deployed CA Strong Authentication Server instances.
Configure Password Authentication Policy
A Password policy can be used to specify the following attributes for password-based authentication:
  • User status
    : The status of the user, which can be active or inactive.
    If the user status check is enabled, then the authentication for users in inactive state results in failure.
  • Lockout criteria
    : The number of failed attempts after which the user credential is locked out.
  • Unlocking criteria:
     The number of hours after which a locked user password credential can be used to log in again.
  • Partial password options
    : Number of password characters to challenge.
    When CA Strong Authentication Server receives the partial password authentication request, the user is challenged with the number of characters from their password at various positions. For example, if the password is welcome1 and the 
    Number of Password Characters to Challenge
     field is set to 4. The challenge might look like "Enter the characters at positions 2, 4, and 7". If the user enters "ece," then the authentication is successful.
  • Multi-password options
    : Specifies whether the user is allowed to enter any of their passwords or a password with the specific usage type
Follow these steps:
  1. Click the Services and Server Configurations tab on the main menu.
  2. Ensure that the CA Strong Authentication tab in the submenu is active.
  3. Under the Password section, click the Authentication link to display the Password Authentication Policy page.
  4. Edit the fields in the Policy Configuration section, as required.
    • Policy Configurations:
    • Create
      To create a new policy:
      • Select the Create option.
      • Specify the Configuration Name of the new policy in the field that appears.
    • Update
      To update an existing policy, select the policy that you want to update from the Select Configuration list that appears.
    • Copy Configuration
      Enable this option if you want to create the policy by copying the configurations from an existing policy.
      Note: 
      You can also copy from configurations that belong to other organizations that you have scope on.
    • Available Configurations
      Select the policy from which the configurations are copied.
    • Lockout Credential After
      Specify the number of failed attempts after which the user credential is locked.
    • Check User Status Before Authentication
      Select this option if you want to verify whether the user is active, before authenticating them.
  5. Expand the 
    Advanced Configurations
     section by clicking the 
    [+]
     sign.
  6. Edit the fields in the section, as required:
    • Additional Password Options:
    • Issue Warning
      Specify the number of days before the warning is sent to the calling application about the user impending credential expiration.
    • Allow Successful Authentication
      Specify the number of days for which the users can use an expired credential to log in successfully.
    • Enable Automatic Credential Unlock
      Select this option if you want the credential to be automatically unlocked after the time you specify in the following field.
      This field is valid only if you specify the corresponding value in the Lockout Credential After field.
    • Unlock After
      Specify the number of hours after which a locked credential can be used again for authentication.
    • Challenge Validity (in Seconds)
      Specify the duration for which the password challenge has to be valid.
    • Partial Password Options:
    • Number of Password Characters to Challenge
      Specify the total number of password characters that have to be challenged. The number of random positions that are challenged by CA Strong Authentication Server is equal to this value.
    • Alternate Processing Options:
    • Alternate Processing Options
      The CA Strong Authentication Server acts as a proxy and passes authentication requests to other authentication servers if these conditions are met:
      • User Not Found: If the user trying to authenticate is not present in the CA Strong Authentication database, then the request is passed to the other server.
      • Credential Not Found: If the credential with which the user is trying to authenticate is not present in the CA Strong Authentication database, then the request is passed to the other server.
      See Configuring CA Strong Authentication as RADIUS Proxy Server for more information to enable this feature.
    • Multiple Credential Options:
    • Usage Type for Verification
      Choose the Any Usage Type option if you want to authenticate users with any of their passwords. For example, if the user has two passwords, welcome123 with usage type as permanent and hello123 with usage type as temporary, then the user is authenticated if they provide either of the passwords.
      If you want the user to authenticate with the particular password, then enter the name of its usage type in the Usage Type field.
  7. Click Save.
  8. Refresh 
    all
     deployed CA Strong Authentication Server instances.