Organization administrators can associate a password policy to an organization. The organization administrators can select a relevant password policy from the password policies created by system administrators. A password policy set for an organization is applicable for that organization and all its suborganizations. If the suborganization-level administrator sets a different password policy for that organization, then the parent organization password policy is overridden by the new one, and is applicable to all suborganizations under this organization. If a user is a member of multiple organizations, then the user's password policy depends on the home organization and the home organization hierarchy.
In addition, password policy priority determines which password policy is applicable for a user if the user is a member of multiple organizations. If the organizations are in hierarchy, then the password policy of the organization that is closest to the user is applicable even if the password policy associated with the parent organization has higher priority.During user creation, Oracle Identity Manager validates the password provided manually or autogenerated against the default password policy which is attached to the Top organization. When a user logs in for the first time and changes the password, the password policy with the highest priority that is applicable to the user's organization is applied.
This chapter describes password policy management in the following sections:
To search for Password Policies you can perform one of the following:
To search for password policies:
Login to Identity Self Service.
Click Manager. Place your mouse pointer on the Policies box, and click Password Policies. The Password Policy page is displayed.
In the Policy Name field, enter the policy name you want to search.
Click Search. The password policies that match search condition Policy Name is displayed.
To perform advanced search:
Log in to Identity Self Service.
Click Manager. Place your mouse pointer on the Policies box, and click Password Policies. The Password Policy page is displayed.
Click Advance link. Advance Password Policies search page is displayed.
Select a search comparator. The default search comparator is Starts With. Other options are Equals, Ends with, Does not equal, and Contains.
You can use wildcard characters to specify the Password Policy name.
To add a field to your search:
Click Add Fields, and select Policy Name.
Enter value for the search attribute that you added.
This option is useful to create complex conditions such as Policy Name starts with Test and Policy Name ends with User. In this case two fields have to be included.
If you want to remove a field that you added in the search, then click the cross icon next to the field.
To reorder the search element list, click Reorder. A Reorder Search Fields tab opens. Select the search element that has to be reordered and rearrange it using the arrow keys. Click OK.
The order in which search elements are listed is modified accordingly.
Click Search. The results are displayed in the search results table.
By creating password policies, you can:
Set password restrictions, for example, define the minimum and maximum length of passwords
Set challenge question restrictions
See rules that are associated with a password policy
Note:
In an environment in which LDAP synchronization is enabled, you must ensure one of the following:Password policies set on Oracle Identity Manager must be more restrictive than password policies set on the LDAP server.
Password policies set on Oracle Identity Manager must match the password policies set on the LDAP server.
To create a password policy:
In the Password Policy page, from the Actions menu, select Create. Alternatively, click Create on the toolbar.
In the Policy Name field, enter the name of the password policy.
In the Description field, enter a short description of the password policy.
In the Policy Rules tab, specify value to set the rules for the password policy. For a description of each field in the Policy Rules tab, see "Setting Password Policy Rules".
Note:
You can leave the fields blank in the Policy Rules tab, and click Apply to save the password policy. You can later open the password policy and set the policy rules by following the instructions in "Setting Password Policy Rules".In the Challenge Options section, select Enable Challenge Policy Support to enable configuring challenge policy options. For a description of each field in the Challenge Options section, see "Setting Challenge Options".
Click Apply.
Note:
A password policy is not applied during the creation of an Oracle Identity Manager user through trusted source reconciliation.Setting password policy rules involves specifying criteria for your password policy, for example, the minimum and maximum length of passwords.
You can use either or both of the following methods to set password restrictions:
Enter information in the appropriate fields, or select the required check boxes. For example, to indicate that a password must have a minimum length of four characters, enter 4 in the Minimum Length field.
In the Password File field, enter the directory path and name of the password policy file (for example, c:\Xellerate\userlimits.txt). This file contains predefined words that you do not want to be used as passwords. The delimiter specified in the File Delimiter field separates these words. The predefined words in the file cannot be used as passwords. For example, if the file contains the word welcome, then welcome, Welcome, and welcome123 are invalid passwords.
To set the rules for a password policy:
In the Password Policy page, search and select the password policy that you want to open.
From the Actions menu, select Open. Alternatively, click Open on the toolbar. The password policy details page is displayed.
Note:
You can also set the password policy rules at the time of creating the password policy.In the Policy Rules tab, enter values in the fields, as listed in Table 19-1:
Note:
If a data field of the policy is empty, a password conforming to this policy does not have to meet the criteria of that field for the password to be valid. For example, when the Minimum Numeric Characters field is blank, Oracle Identity Manager will accept a password, regardless of the number of characters included in it.Table 19-1 Fields in the Policy Rules Section
| Field Name | Description |
|---|---|
|
Minimum Length |
The minimum number of characters that a password must contain for the password to be valid. For example, if you enter 4 in the Minimum Length field, then the password must contain at least four characters. This field accepts values from 0 to 999. |
|
Minimum Password Age (Days) |
The minimum duration in days for which users can use a password. For example, if you enter 2 in the Minimum Password Age (Days) field, then the user cannot change the password before 2 days of creating the password. The value of this field must be less than the value of the Expires After (Days) field. For example, if you enter 30 in the Expires After (Days) field and 31 in the Minimum Password Age (Days) field, then an error is displayed. |
|
Warn After (Days) |
The number of days that must pass before a user is notified that the user's password will expire on a designated date. For example, you enter 30 in the Expires After (Days) field, and 20 in the Warn After (Days) field, and the password is created on November 1. On November 21, the user will be informed that the password will expire on December 1. This field accepts values from 0 to 999. |
|
Disallow Past Passwords |
The frequency at which old passwords can be reused. This policy ensures that users do not change back and forth among a set of common passwords. For example, if you enter 10 in the Disallow Past Passwords field, then users are allowed to reuse a password only after using 10 unique passwords. This field accepts values from 0 to 24. |
|
Expires After (Days) |
The maximum duration in days for which users can use a password. For example, if you enter 30 in the Expires After Days field, then users must change their passwords by the thirtieth day from when it was created or last modified. This field accepts values from 0 to 999. Note: After the number of days specified in the Expires After Days field passes, a message is displayed asking the user to change the password. |
You can configure either a default complex password policy or a custom password policy. If you select the Complex Password option, then you cannot use the Custom Policy option setup, and passwords will be evaluated against the complex password criteria.
Complex Password: Selecting this option sets the following complex password criteria:
The password is at least six characters long.
The password contains characters from at least three of the following five categories:
- English Uppercase Characters (A - Z)
- English Lowercase Characters (a - z)
- Base 10 digits (0 - 9)
- Non-alphanumeric characters (for example: !, $, #, or ^)
- Unicode characters
The password does not contain any of User ID, first name, or last name when their length is larger than 2.
The names are parsed for delimiters: commas, periods, dashes or hyphens, underscores, spaces, pound signs, and tabs. If any of these delimiters are found, then the names are split and all sections are verified not to be included in the password. For example, if the user name is john-d, then d will not be checked in the password because its length is less than 2. Similarly, if the name is John Richard Doe, then the password cannot contain john, richard, or doe.
When checking against the user's full name, characters such as commas, periods, dashes or hyphens, underscores, spaces, pound signs, and tabs are treated as delimiters that separate the name into individual character sets. Each character set that has three or more characters is searched in the password. If the character set is present in the password, the password change is rejected. For example, the name John Richard-Doe is split into three character sets: John, Richard, and Doe. This user cannot have a password that consists of three continuous characters from either John or Richard or Doe anywhere in the password. However, the password can contain the substring d-D because the hyphen (-) is treated as the delimiter between the substrings Richard and Doe. In addition, the search for character sets in the password is not case-sensitive.
Note:
If the user's full name is less than three characters in length, the password is not checked against it because the rate at which passwords will be rejected is too high.Custom Policy: If you select the Custom Policy option, you can set a custom password policy by using the fields listed in Table 19-2.
Table 19-2 Fields in Custom Policy Section
| Field Name | Description |
|---|---|
|
Maximum Length |
The maximum number of characters that a password can contain. For example, if you enter 8 in the Maximum Length field, then a password is not accepted if it has more than eight characters. This field accepts values from 1 to 999. |
|
Maximum Repeated Characters |
The maximum number of times a character can be repeated in a password. For example, if you enter 2 in the Maximum Repeated Characters field, then a password is not accepted if any character is repeated more than two times. For example, RL112211 would not be a valid password because the character Note: In this example, there are four occurrences of the character This field accepts values from 1 to 999. |
|
Minimum Numeric Characters |
The minimum number of digits that a password must contain. For example, if you enter 1 in the Minimum Numeric Characters field, then a password must contain at least one digit. This field accepts values from 0 to 999. |
|
Minimum Alphanumeric Characters |
The minimum number of letters or digits that a password must contain. For example, if you enter 6 in the Minimum Alphanumeric Characters field, then a password must contain at least six letters or numbers. This field accepts values from 0 to 999. |
|
Minimum Unique Characters |
The minimum number of nonrepeating characters that a password must contain. For example, if you enter 1 in the Minimum Unique Characters field, then a password is accepted if at least one character in the password is not repeated. For example, 1a23321 would be a valid password because the character This field accepts values from 0 to 999. |
|
Minimum Alphabet Characters |
The minimum number of letters that a password must contain. For example, if you enter 2 in the Minimum Alphabet Characters field, then the password is not accepted if it has less than two letters. This field accepts values from 0 to 999. |
|
Minimum Uppercase Characters |
The minimum number of uppercase letters that a password must contain. For example, if you enter 8 in the Uppercase Characters: Minimum field, then a password is not accepted if it contains less than eight uppercase letters. This field accepts values from 0 to 999. |
|
Minimum Lowercase Characters |
The minimum number of lowercase letters that a password must contain. For example, if you enter 8 in the Minimum Lowercase Characters field, then a password is not accepted if it has less than eight lowercase letters. This field accepts values from 0 to 999. |
|
Special Characters: Min |
The minimum number of special characters that a password must contain. For example, if you enter 2 in the Special Characters: Min field, then the password is not accepted if it has less than two special characters. The field accepts values from 0 to 999. |
|
Special Characters: Max |
The maximum number of special characters that a password can contain. For example, if you enter 5 in the Special Characters: Max field, then a password is not accepted if it has more than five special characters. This field accepts values from 1 to 999. |
|
Unicode Characters: Min |
The minimum number of Unicode characters that a password must contain. For example, if you enter 3 in the Unicode Characters: Minimum field, then the password is not accepted if it has less than three Unicode characters. This field accepts values from 0 to 999. |
|
Unicode Characters: Max |
The maximum number of Unicode characters that a password can contain. For example, if you enter 8 in the Unicode Characters: Maximum field, then a password is not accepted if it has more than eight Unicode characters. This field accepts values from 1 to 999. |
|
Password File |
The path and name of a file that contains predefined terms, which are not allowed as passwords. The file must be stored on the same host on which Oracle Identity Manager is deployed. Note: The settings on the Policy Rules tab get precedence over the specifications in the password file. For example, a disallowed term of the password file is used in the policy when no disallowed term is specified in the Policy Rules tab. |
|
File Delimiter |
The delimiter character used to separate terms in the password file. For example, if a comma (,) is entered in the Password File Delimiter field, then the terms in the password file will be separated by commas. Note: There are no escape characters defined to be used in password policies. |
|
Characters Required |
The characters that a password must contain. For example, if you enter x in the Characters Required field, then a password is accepted only if it contains the character x. The character you specify in the Characters Required field, must be mentioned in the Characters Allowed field. If you enter a character in the Characters Required field that is not mentioned in the Characters Allowed field, then an error is displayed stating that the required characters must be in the list of allowed characters, and required characters must not be in the list of not allowed characters. In addition, if you specify more than one character, then do not provide delimiters. Commas and white spaces are also considered as characters in this field. For example, if you specify characters such as a,x,c, then the password is not accepted unless it contains comma. Note: Characters specified and case-sensitive. |
|
Characters Allowed |
The characters that a password can contain. For example, if you enter the percent sign (%) in the Characters Allowed field, then a password is accepted if it contains a percent sign, given that all other criteria are met. Note: If any character is used in the password and that character is not in the Characters Allowed field, then the password will be rejected. For example, if the Characters Allowed field has "abc" and the password is "dad", then the password is rejected because "d" is not in the Characters Allowed field. If you specify the same character in the Characters Allowed and Characters Not Allowed fields, then an error message is returned when you create the password policy. Note: Characters specified and case-sensitive. |
|
Characters Not Allowed |
The characters that a password must not contain. For example, if you enter an exclamation point (!) in the Characters Not Allowed field, then a password is not accepted if it contains an exclamation point. Note: Characters specified and case-sensitive. |
|
Substrings Not Allowed |
A series of consecutive alphanumeric characters that a password must not contain. For example, if you enter oracle in the Substrings Not Allowed field, then a password is not accepted if it contains the letters o, r, a, c, l, and e, in successive order. |
|
Maximum Incorrect Login attempts counter |
The maximum number of incorrect login attempt is allowed for a user. After the maximum number of attempts is failed, user is locked. You can set if the user is locked permanently or for a time duration. When a value is entered in this field it enables Permanent Lockout and Lock Duration. |
|
Permanent Lockout |
If an user exceeds maximum incorrect login attempt, then the user can be permanently lockout. To enabled this select this check box. If this option is enabled then you will not be allowed to set Lock Duration time. Note: Only Admin can unlock the user if this option is enabled. |
|
Lock Duration |
If an user exceeds maximum incorrect login attempt, then the user can be locked for a certain period of time. The duration for which the user is locked is set in minutes. For example, if lock duration is set to 5 minutes, user will get unlocked after 5 minutes of the user being locked. If Permanent Lockout is enabled then this field is not applicable. |
|
Start with Alphabet |
Whether or not the password must begin with a letter. For example, if you select this option, then the password 123welcome is not accepted because the password does not begin with a letter. However, if you do not select this option, then the password can begin with a letter, numeric digit, or special character. |
|
Disallow First Name |
This check box specifies if the user's first name will be accepted as the whole password or as part of the password. When this check box is selected, a password will not be valid if the user's first name is entered in the Password field. In addition, the password is not valid is the first name is entered as a part of the password. If you deselect this check box, then the password will be accepted, even if it contains the user's first name. |
|
Disallow User ID |
This check box specifies if the user ID will be accepted as the whole password or as part of the password. When this check box is selected, a password will not be valid if the user ID is entered in the Password field. In addition, the password is not valid if the user ID occurs as a part of the password specified in the Password field. If you deselect this check box, the password will be accepted, even if it contains the user ID. |
|
Disallow Last Name |
This check box specifies if the user's last name will be accepted as the whole password or as part of the password. When this check box is selected, a password will not be valid if the user's last name is entered in the Password field. In addition, the password is not valid is the last name is entered as a part of the password. If you deselect this check box, then the password is accepted, even if it contains the user's last name. |
Click Apply to save the password policy.
Note:
After creating a password policy, you must associate the policy with an organization. The rules of the policy will be applied for the users of that organization and its suborganizations. For information see, "Evaluating Password Policies".In Oracle Identity Manager, password policies are evaluated in the following scenarios:
When users register themselves to Oracle Identity Manager to perform certain tasks in Identity Self Service or Oracle Identity System Administration.
When users reset their password using the Forgot Password? link.
When users change their enterprise password or target system account password from the Change Password section of the My Information page.
When an administrator sets or changes the password of a user manually.
The following is the order in which a user's effective password policy is evaluated:
The password policy (if available) set for the user's home organization is applicable for the user.
If no password policy is set for the user's home organization, then the policy of the organization at the next level in the organization hierarchy of the user's home organization is picked. This procedure of identifying an organization at the next level in the hierarchy of the user's home organization continues until an organization associated with a password policy is determined. This password policy is applicable to the user.
If none of the organizations in the hierarchy has password policies set, then the password policy attached to the Top organization is applicable. If no password policy is attached to the Top organization, then the default password policy of the XellerateUsers resource is applicable.
To set the Challenge question options for a password policy:
In the Password Policy page, search and select the password policy that you want to open.
From the Actions menu, select Open. Alternatively, click Open on the toolbar. The password policy details page is displayed.
Note:
You can also set the Challenge option at the time of creating the password policy.In the Challenge Options section, if Enable Challenge Policy support is enabled then the fields listed in Table 19-3 can be configured:
Table 19-3 Fields in the Challenge Option Section
| Field Name | Description |
|---|---|
|
Allowed Challenges |
This field allows you to select which set of challenge question is shown to the user. The options are: User Defined, Admin Defined, or User or Admin Defined. If User Defined is selected, then the challenge questions is set by the user. If Admin Defined is selected, then the challenge questions is selected from the list provided by the admin. If User or Admin Defined is selected, then the combination of questions is admin defined and user customized. |
|
Total Questions To Be Collected |
This determines the total number of challenge questions a user needs to provide at login. |
|
Minimum Correct Answers When Challenged |
The minimum number of correct answers the user needs to provide when he is asked the challenge questions. |
|
Allow Duplicate Responses |
This allows you to select if duplicate responses are allowed or not. |
|
Minimum Answer Length |
The minimum length of answer for the challenge questions. |
|
Lock User After Attempts |
The number of attempts before the user is locked if he provided wrong answers to the challenge questions. |
When Allowed Challenges is set to Admin Defined or User or Admin Defined, challenge questions have to be added. The number of challenge question is determined by Total Questions To Be Collected field.
To add questions:
Under Challenge Questions section, click Add.
Enter the challenge question in the Questions table. To include more questions, click Add.
To delete a question, select the question and click Delete.
Note:
If you have customized the challenge questions, then modify thecustomResources_<XX>.properties file under the IDM_HOME/server/customResources/ directory to add your local messages. Here, XX can be ar, da, de, es, fr, and so on.
This entry will need to be added directly beneath the line,
#global.<lookup_code>.<encode_data>=<unicoded_decodedata_string> in the
customResources_<XX>.properties file with ~ to replace the blank spaces prior to the =.
For example:
#global.<lookup_code>.<encode_data>=<unicoded_decodedata_string> global.Lookup.WebClient.Questions.Who~was~your~childhood~hero?=Qui \u00E9tait votre h\u00E9ros d\'enfance?
Click Apply to save the password policy changes.
To delete a password policy:
In the Password Policy page, search and select a password policy that you want to delete.
From the Actions menu, select Delete. Alternatively, click Delete on the toolbar. A message is displayed asking for confirmation.
Click Yes to confirm the deletion.
To associate the password policy with an organization and use the password policy to manage the passwords of Oracle Identity Manager users, see Creating an Organization.
To associate the password policy with a resource, see "Configuring Password Policies for Application Instances" in Oracle Fusion Middleware Administering Oracle Identity Manager.