17/3/2017 Password Policy Configuration Options SAP HANA Security Guide SAP Library The BestRun Businesses Run SA
Views 117 Downloads 4 File size 159KB
17/3/2017
Password Policy Configuration Options SAP HANA Security Guide SAP Library
The BestRun Businesses Run SAP
Technology Platform
SAP HANA Platform
SAP HANA Platform Core 2.0 SPS 00
Password Policy Configuration Options The Password Policy and Blacklist page in the SAP HANA cockpit and the Security editor in the SAP HANA studio allow you to view the password policy and to change its default configuration. The password policy is defined by parameters in the password policy section of the indexserver.ini configuration file. The following sections describe these parameters, which correspond to the configuration options available in the SAP HANA cockpit and the SAP HANA studio.
Note The password policy parameters for the system database of a multiplecontainer system are maintained in the namesever.ini file, not the indexserver.ini file. Minimum Password Length Lowercase Letter/Uppercase Letter/Numerical Digit/Special Character Required Password Change Required on First Logon Number of Last Used Passwords That Cannot Be Reused Number of Allowed Failed Logon Attempts User Lock Time Minimum Password Lifetime Maximum Password Lifetime Lifetime of Initial Password Maximum Duration of User Inactivity Notification of Password Expiration Exempt SYSTEM User from Locking Detailed Error Information on Failed Logon
Minimum Password Length The minimum number of characters that the password must contain Parameter
minimal_password_length
Default Value
8 (characters)
Additional Information
You must enter a value between 6 and 64.
UI Label
Minimum Password Length
http://helplegacy.sap.com/saphelp_hanaplatform/helpdata/en/61/662e3032ad4f8dbdb5063a21a7d706/content.htm#id_w5w_jkl_45
1/7
17/3/2017
Password Policy Configuration Options SAP HANA Security Guide SAP Library
Lowercase Letter/Uppercase Letter/Numerical Digit/Special Character Required The character types that the password must contain; at least one character of each selected character type is required Parameter
password_layout
Default Value
Aa1
Additional Information
The following character types are possible: Lowercase letter (az) Uppercase letter (AZ) Numerical digits (09) Special characters (underscore (_), hyphen (), and so on) Any character that is not an uppercase letter, a lowercase letter, or a numerical digit is considered a special character. The default configuration requires passwords to contain at least one uppercase letter, at least one number, and at least one lowercase letter, with special characters being optional.
Note Passwords containing special characters other than underscore must be enclosed in double quotes ("). The SAP HANA Studio does this automatically. When a password is enclosed in double quotes ("), any Unicode characters may be used.
Caution The use of passwords enclosed in double quotes (") may cause logon issues depending on the client used. The SAP HANA Studio, for example, supports passwords enclosed in double quotes ("), while the SAP HANA HDBSQL command line tool does not.
Note If configuring this option in the indexserver.ini file using the password_layout parameter, you can use any specific letters, numbers and special characters, and the characters can be in any order. For example, the default value example could also be represented by a1A, hQ5, or 9fG. If you want to enforce the use of at least one of each character type including special characters, you specify A1a_ or 2Bg?. UI Labels
Lowercase Letter/Uppercase Letter/Numerical Digit/Special Character Required
Password Change Required on First Logon Defines whether users have to change their initial passwords immediately the first time they log on
http://helplegacy.sap.com/saphelp_hanaplatform/helpdata/en/61/662e3032ad4f8dbdb5063a21a7d706/content.htm#id_w5w_jkl_45
2/7
17/3/2017
Password Policy Configuration Options SAP HANA Security Guide SAP Library
Parameter
force_first_password_change
Default Value
True
Additional Information
If this parameter is set to true, users can still log on with the initial password but every action they try to perform will return the error message that they must change their password. If this parameter is set to false, users are not forced to change their initial password immediately the first time they log on. However, if a user does not change the password before the number of days specified in the parameter maximum_unused_initial_password_lifetime , then the password still expires and must be reset by a user administrator. A user administrator (that is, a user with the system privilege USER ADMIN) can force a user to change his or her password at any time with the following SQL statement: ALTER USER FORCE PASSWORD CHANGE A user administrator can override this password policy setting for individual users (for example, technical users) with the following SQL statement: CREATE USER PASSWORD [NO FORCE_FIRST_PASSWORD_CHANGE] ALTER USER PASSWORD [NO FORCE_FIRST_PASSWORD_CHANGE]
UI Label
Password Change Required on First Logon
Number of Last Used Passwords That Cannot Be Reused The number of last used passwords that the user is not allowed to reuse when changing his or her current password Parameter
last_used_passwords
Default Value
5 (previous passwords)
Additional Information
If you enter the value 0, the user can reuse his or her old password.
UI Label
Number of Last Used Passwords That Cannot Be Reused
Number of Allowed Failed Logon Attempts The maximum number of failed logon attempts that are possible; the user is locked as soon as this number is reached Parameter
maximum_invalid_connect_attempts
Default Value
6 (failed logon attempts)
Additional Information
You must enter a value of at least 1. A user administrator can reset the number of invalid logon attempts with the following SQL statement: ALTER USER RESET CONNECT ATTEMPTS
http://helplegacy.sap.com/saphelp_hanaplatform/helpdata/en/61/662e3032ad4f8dbdb5063a21a7d706/content.htm#id_w5w_jkl_45
3/7
17/3/2017
Password Policy Configuration Options SAP HANA Security Guide SAP Library
The first time a user logs on successfully after an invalid logon attempt, an entry is made in the INVALID_CONNECT_ATTEMPTS system view containing the following information: The number of invalid logon attempts since the last successful logon The time of the last successful logon A user administrator can delete information about invalid logon attempts with the following SQL statement: ALTER USER DROP CONNECT ATTEMPTS
Recommendation Create an audit policy to log activity in the INVALID_CONNECT_ATTEMPTS system view. For example, create an audit policy that logs data query and manipulation statements executed on this view.
Note Although this parameter is not valid for the SYSTEM user, the SYSTEM user will still be locked if the parameter password_lock_for_system_user is set to true. If password_lock_for_system_user is set to false, the SYSTEM user will not be locked regardless of the number of failed logon attempts. UI Label
Number of Allowed Failed Logon Attempts
User Lock Time The number of minutes for which a user is locked after the maximum number of failed logon attempts Parameter
password_lock_time
Default Value
1440 (minutes)
Additional Information
If you enter the value 0, the user is unlocked immediately. This disables the functionality of parameter maximum_invalid_connect_attempts . A user administrator can reset the number of invalid logon attempts and reactivate the user account with the following SQL statement: ALTER USER RESET CONNECT ATTEMPTS. It is also possible to reactivate the user in the user editor of the SAP HANA Studio. To lock a user indefinitely, enter the value 1. On the Password Policy and Blacklist page of the SAP HANA cockpit or in the Security editor of the SAP HANA studio, this corresponds to selecting the Lock User Indefinitely checkbox. The user remains locked until reactivated by a user administrator as described above.
UI Label
User Lock Time
Minimum Password Lifetime
http://helplegacy.sap.com/saphelp_hanaplatform/helpdata/en/61/662e3032ad4f8dbdb5063a21a7d706/content.htm#id_w5w_jkl_45
4/7
17/3/2017
Password Policy Configuration Options SAP HANA Security Guide SAP Library
The minimum number of days that must elapse before a user can change his or her password Parameter
minimum_password_lifetime
Default Value
1 (day)
Additional Information
If you enter the value 0, the password has no minimum lifetime.
UI Label
Minimum Password Lifetime
Maximum Password Lifetime The number of days after which a user's password expires Parameter
maximum_password_lifetime
Default Value
182 (days)
Additional Information
You must enter a value of at least 1. A user administrator can exclude users from this password check with the following SQL statement: ALTER USER DISABLE PASSWORD LIFETIME. However, this is recommended only for technical users only, not database users that correspond to real people. A user administrator can reenable the password lifetime check for a user with the following SQL statement: ALTER USER ENABLE PASSWORD LIFETIME.
UI Label
Maximum Password Lifetime
Lifetime of Initial Password The number of days for which the initial password or any password set by a user administrator for a user is valid Parameter
maximum_unused_initial_password_lifetime
Default Value
7 (days)
Additional Information
You must enter a value of at least 1. If a user has not logged on using the initial password within the given period of time, the user will be deactivated until their password is reset.
Note In SAP HANA 1.0 SPS 12 and earlier, this parameter was misspelled as maximum_unused_inital_password_lifetime . If this parameter had a userspecified value before upgrade, this value will be set as the value of the parameter maximum_unused_initial_password_lifetime . The misspelled parameter is unset and disappears from the custom configuration file.
http://helplegacy.sap.com/saphelp_hanaplatform/helpdata/en/61/662e3032ad4f8dbdb5063a21a7d706/content.htm#id_w5w_jkl_45
5/7
17/3/2017
Password Policy Configuration Options SAP HANA Security Guide SAP Library
UI Label
Lifetime of Initial Password
Maximum Duration of User Inactivity The number of days after which a password expires if the user has not logged on Parameter
maximum_unused_productive_ password_lifetime
Default Value
365 (days)
Additional Information
You must enter a value of at least 1. If a user has not logged on within the given period of time using any authentication method, the user will be deactivated until their password is reset.
UI Label
Maximum Duration of User Inactivity
Notification of Password Expiration The number of days before a password is due to expire that the user receives notification Parameter
password_expire_warning_time
Default Value
14 (days)
Additional Information
Notification is transmitted via the database client (ODBC or JDBC) and it is up to the client application to provide this information to the user. If you enter the value 0, the user does not receive notification that his or her password is due to expire. The system also monitors when user passwords are due to expire and issues a medium priority alert (check 62). This may be useful for technical database users since password expiration results in the user being locked, which may affect application availability. It is recommended that you disable the password lifetime check of technical users so that their password never expires. For more information about how to disable this check, see SAP Note 1991615.
UI Label
Notification of Password Expiration
Exempt SYSTEM User from Locking Indicates whether or not the user SYSTEM is locked for the specified lock time ( password_lock_time ) after the maximum number of failed logon attempts ( maximum_invalid_connect_attempts ) Parameter Default Value
password_lock_for_system_user true
http://helplegacy.sap.com/saphelp_hanaplatform/helpdata/en/61/662e3032ad4f8dbdb5063a21a7d706/content.htm#id_w5w_jkl_45
6/7
17/3/2017
Password Policy Configuration Options SAP HANA Security Guide SAP Library
UI Label
Exempt SYSTEM User from Locking
Detailed Error Information on Failed Logon Indicates the detail level of error information returned when a logon attempt fails Parameter
detailed_error_on_connect
Default Value
false
Additional Information
If set to false, only the information authentication failed is returned. If set to true, the specific reason for failed logon is returned: Invalid user or password User is locked Connect try is outside validity period User is deactivated
UI Label
Detailed Error Information on Failed Logon
Related Information Execute SQL Statements in SAP HANA Studio Create an Audit Policy SAP Note 1991615 © C OPYR I GH T BY SAP SE OR AN SAP AF F I LI AT E C OM PAN Y. ALL R I GH T S R ESER VED . – PR I N T ED F R OM SAP H ELP POR TAL. (ht t p: / / help. s ap. c om )
http://helplegacy.sap.com/saphelp_hanaplatform/helpdata/en/61/662e3032ad4f8dbdb5063a21a7d706/content.htm#id_w5w_jkl_45
7/7