1. Maintenance and Troubleshooting Guide
  2. System Management
  3. Admin Security and Admin Security ACP Licenses

Admin Security and Admin Security ACP Licenses

The Admin Security and Admin Security ACP licenses both work to increase the security of the Oracle Communications Session Border Controller (SBC). If a device already has an Admin Security license installed, you can add an Admin Security ACP license later if you need to reopen access to ACP ports. Both licenses may co-exist on a single device, or either license may be on the device alone. An Admin Security ACP license performs the same functions as an Admin Security license, but also enhances password strength requirements and allows access to the ACP (Acme Control Protocol) ports blocked by an Admin Security license.

As with any other license, an activate-config command must be executed after license installation for all changes to take effect. Certain ACLI aspects, such as login and password change prompts, change immediately after installation of the Admin Security license.

Note:

Once the Admin Security or the Admin Security with ACP entitlement is provisioned, it can not be removed from the system in the field; your chassis must be returned to Oracle for replacement.

Note:

The Admin Security or the Admin Security ACP feature sets are not intended for all customer use. Consult your Oracle representative to understand the ramifications of enabling these features.

License Requirements

Support for enhanced password strength requires two licenses: the previously existing Admin Security license and the newly available Admin Security ACP license.

Password Policy

The Admin Security feature set supports the creation of password policies that enhance the authentication process by imposing requirements for:

  • password length
  • password strength
  • password history and re-use
  • password expiration and grace period

    The Admin Security feature set restricts access to the ACP ports and mandates the following password length/strength requirements.

    • user password must contain at least 9 characters (Admin Security only)
    • admin password must contain at least 15 characters
    • passwords must contain at least 2 lower case alphabetic characters
    • passwords must contain at least 2 upper case alphabetic characters
    • passwords must contain at least 2 numeric characters
    • passwords must contain at least 2 special characters
    • passwords must differ from the prior password by at least 4 characters
    • passwords cannot contain, repeat, or reverse the user name
    • passwords cannot contain three consecutive identical characters

The Admin Security ACP add-on feature imposes the same password length/strength requirements as above except for the minimum length requirement, and also provides access to the ACP ports.

When you set the password-policy > password-policy-strength config property to enabled as part of the Admin Security ACP feature, you impose the following requirements in addition to those enforced with the Admin Security feature:
  • passwords cannot contain two or more characters from the user ID
  • passwords cannot contain a sequence of three or more characters from any password contained in the password history cache
  • passwords cannot contain a sequence of two or more characters more than once
  • passwords cannot contain either sequential numbers or characters, or repeated characters more than once.

In the absence of the Admin Security ACP feature, you may safely ignore the password-policy-strength config property and retain the default value (disabled). For more information, see Configuring the Admin Security with ACP Password Rules.

Some specific password policy properties, specifically those regarding password lifetime and expiration procedures, are also applicable to SSH public keys used to authenticate client users.

Configuring Password Policy Properties

The single instance password-policy configuration element defines the password policy.

  1. From superuser mode, use the following command path to access password-policy configuration mode. 
    ORACLE# configure terminal
ORACLE(configure)# security
ORACLE(security)# password-policy
ORACLE(password-policy)#

    The password-policy configuration element properties (with the introduction of the Admin Security or JITC feature) are shown below with their default values. 

    min-secure-pwd-length       8 
expiry-interval             90 
expiry-notify-period        30 
grace-period                30 
grace-logins                3 
password-history-count      3 
password-change-interval    24 
password-policy-strength    disabled
  2. The min-secure-pwd-length command is ignored when the Admin Security with ACP feature is installed and the password-policy-strength configuration element is set to enabled.
  3. Use the expiry-interval command to specify the password lifetime in days. Password lifetime tracking begins when a password is changed.
    Allowable values are integers within the range 0 through 65535, with a default value of 90 (days).

    Note:

    The minimum expiry-interval is 0 with a provisioned JITC feature only and remains 1 when only an Admin Security feature is provisioned. 
    ORACLE(password-policy)# expiry-interval 60
ORACLE(password-policy)#
  4. Use the password-change-interval command to specify the minimum password lifetime (the minimum time that must elapse between password changes.)

    Allowable values are integers within the range 1 through 24, with a default value of 24 (hours). 

    ORACLE(password-policy)# password-change-interval 18
ORACLE(password-policy)#
  5. Use the expiry-notify-period to specify the number of days prior to expiration that users begin to receive password expiration notifications.

    Allowable values are integers within the range 1 through 90, with a default value of 30 (days).

    During the notification period, users are reminded of impending password expiration at both Session Director login and logout. 

    ORACLE(password-policy)# expiry-notify-period 10
ORACLE(password-policy)#
  6. Use the grace-period command in conjunction with the grace-logins command, to police user access after password expiration.

    After password expiration, users are granted some number of logins (specified by the grace-logins command) for some number of days (specified by the grace-period command). Once the number of logins has been exceeded, or once the grace period has expired, the user is forced to change his or her password.

    Allowable values for grace-period are integers within the range 1 through 90, with a default value of 30 (days).

    Allowable values for grace-logins are integers within the range 1 through 10, with a default value of 3 (logins). 

    ORACLE(password-policy)# grace-period 1
ORACLE(password-policy)# grace-logins 1
ORACLE(password-policy)#
  7. Use the password-history-count command to specify the number of previously used passwords retained in encrypted format in the password history cache.
    Allowable values are integers within the range 1 through 24, with a default value of 3 (retained passwords).

    Note:

    The maximum password-history-count is 24 with a provisioned JITC feature only and remains 10 when only an Admin Security feature is provisioned.

    By default, a user’s three most recently expired passwords are retained in the password history. As the user’s current password is changed, that password is added to the history, replacing the oldest password entry.

    New, proposed passwords are evaluated against the contents of the password cache, to prevent password re-use, and guard against minimal password changes. 

    ORACLE(password-policy)# password-history-count 10
ORACLE(password-policy)#
  8. (Optional) Use the password-policy-strength command to enable the enhanced password strength requirements.

    In the absence of the Admin Security ACP feature set, this command can be safely ignored.

    password-policy-strength may be enabled when the Admin Security with ACP feature is enabled. This feature includes all of the password security features contained in the Admin Security feature set and also adds password strength requirements beyond those imposed by Admin Security. Specific new requirements are as follows:

    • passwords cannot contain two or more characters from the user ID

      For example, given a user ID of administrator, the password thispasswordistragic is not allowed because istra is a substring of administrator

    • passwords cannot contain a sequence of three or more characters from any password contained in the password history cache
    • passwords cannot contain a sequence of two or more characters more than once

      For example, ...w29W29... is legal; ...w29W29&&29... is not.

    • passwords cannot contain either sequential numbers or characters, or repeated characters more than once

      For example, ‘66666’, ‘aaaa’, ‘abcd’, ‘fedc’, ‘1234’, ‘7654'.

      For example, 666, aaa abcd, fedc, 1234, and 7654 all render a password illegal.

    In the absence of the Admin Security ACP feature, retain the default value (disabled). With the Admin Security with ACP feature installed, use enabled to add the new password requirements as listed above; use disabled to retain only the password requirements defined by Admin Security. 

    ORACLE(password-policy)# password-policy-strength enabled
ORACLE(password-policy)#
  9. Use done, exit and verify-config to complete password policy.