1. Maintenance and Troubleshooting Guide
  2. System Management
  3. Admin Security

Admin Security

The Admin Security entitlement works to increase the security of the Oracle Communications Session Border Controller. Certain ACLI aspects, such as login and password change prompts, change immediately after enabling Admin Security.

Note:

Once the Admin Security entitlement is provisioned, it can not be removed from the system in the field; your chassis must be returned to Oracle for replacement.

See the Admin Security Guide for more information.

Password Policy

The Admin Security feature set supports the creation of password policies that enhance the authentication process by imposing requirements for:

  • password length
  • password strength
  • password history and re-use
  • password expiration and grace period

The Admin Security feature set mandates the following password length/strength requirements.

  • user class passwords must contain at least 9 characters (Admin Security only)
  • admin class passwords must contain at least 15 characters
  • passwords must contain at least 2 lower case alphabetic characters
  • passwords must contain at least 2 upper case alphabetic characters
  • passwords must contain at least 2 numeric characters
  • passwords must contain at least 2 special characters (such as !, ", #, $, %, &, ' , (, ), *, +, , , -, ., /, :, ;, <, =, >, ?, @, [, \, ], ^, _, `, {, |, }, ~)
  • passwords must differ from the prior password by at least 4 characters
  • characters in password must differ from the prior password in at least 8 positions
  • passwords cannot contain, repeat, or reverse the entire username
  • passwords cannot contain three consecutive identical characters

Some specific password policy properties, specifically those regarding password lifetime and expiration procedures, are also applicable to SSH public keys used to authenticate clients.

Configuring Password Policy Properties

The single instance password-policy configuration element defines the password policy.

  1. From superuser mode, use the following command path to access password-policy configuration mode. 
    ORACLE# configure terminal
ORACLE(configure)# security
ORACLE(security)# password-policy
ORACLE(password-policy)#

    The password-policy configuration element properties (with the introduction of the Admin Security or JITC feature) are shown below with their default values. 

    min-secure-pwd-length       8 
expiry-interval             90 
expiry-notify-period        30 
grace-period                30 
grace-logins                3 
password-history-count      3 
password-change-interval    24
  2. Use the expiry-interval command to specify the password lifetime in days. Password lifetime tracking begins when a password is changed.
    Allowable values are integers within the range 0 through 65535, with a default value of 90 (days).

    Note:

    The minimum expiry-interval is 0 with a provisioned JITC feature only and remains 1 when only an Admin Security feature is provisioned. 
    ORACLE(password-policy)# expiry-interval 60
ORACLE(password-policy)#
  3. Use the password-change-interval command to specify the minimum password lifetime (the minimum time that must elapse between password changes.)

    Allowable values are integers within the range 1 through 24, with a default value of 24 (hours). 

    ORACLE(password-policy)# password-change-interval 18
ORACLE(password-policy)#
  4. Use the expiry-notify-period to specify the number of days prior to expiration that users begin to receive password expiration notifications.

    Allowable values are integers within the range 1 through 90, with a default value of 30 (days).

    During the notification period, users are reminded of impending password expiration at both Session Director login and logout. 

    ORACLE(password-policy)# expiry-notify-period 10
ORACLE(password-policy)#
  5. Use the grace-period command in conjunction with the grace-logins command, to police user access after password expiration.

    After password expiration, users are granted some number of logins (specified by the grace-logins command) for some number of days (specified by the grace-period command). Once the number of logins has been exceeded, or once the grace period has expired, the user is forced to change his or her password.

    Allowable values for grace-period are integers within the range 1 through 90, with a default value of 30 (days).

    Allowable values for grace-logins are integers within the range 1 through 10, with a default value of 3 (logins). 

    ORACLE(password-policy)# grace-period 1
ORACLE(password-policy)# grace-logins 1
ORACLE(password-policy)#
  6. Use the password-history-count command to specify the number of previously used passwords retained in encrypted format in the password history cache.
    Allowable values are integers within the range 1 through 24, with a default value of 3 (retained passwords).

    Note:

    The maximum password-history-count is 24 with a provisioned JITC feature only and remains 10 when only an Admin Security feature is provisioned.

    By default, a user’s three most recently expired passwords are retained in the password history. As the user’s current password is changed, that password is added to the history, replacing the oldest password entry.

    New, proposed passwords are evaluated against the contents of the password cache, to prevent password re-use, and guard against minimal password changes. 

    ORACLE(password-policy)# password-history-count 10
ORACLE(password-policy)#
  7. Use done, exit and verify-config to complete password policy.