000021379 - How is RSA ClearTrust password expiration controlled by password policies

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000021379
Applies ToRSA ClearTrust 5.5.2
Oracle 8.1.7
IssueHow is RSA ClearTrust password expiration controlled by password policies
ResolutionThere are certain implications to RSA ClearTrust users within their respective administrative groups that are governed by their associated password policies. Within the sql.conf, you have the following:

cleartrust.data.sql.user.attributemap.passwordexpirationstatus :EXPIRATION_STATUS
cleartrust.data.sql.user.attributemap.passwordexpirationstate  :OVERRIDE_POLICY

The cleartrust.data.sql.user.attributemap.passwordexpirationstate flag value is stored in the database container labeled "OVERRIDE_POLICY". It is by default the value for "PasswordPolicy" (one of two values, the other being "Forced"), meaning the password will expire after the lifetime has expired as specified within the password policy associated with the particular user.

However, if you edit the "password expires" date within the edit user screen for the user, you will also modify the flag value for cleartrust.data.sql.user.attributemap.passwordexpirationstate from the "PasswordPolicy" setting to the "Forced" setting, meaning the password will now expire according to the date specified and not according to the password policy lifetime expiration.

With the cleartrust.data.sql.user.attributemap.passwordexpirationstate flag set with a value of "password policy", the result of the getExpirationDate call will be according to the password lifetime as governed by the password policy associated to the administrative group that contains the user.

If the cleartrust.data.sql.user.attributemap.passwordexpirationstate flag is set with the value of "Forced", then the result of the getExpirationDate call will be according to the date specified within the user?s edit user screen.

The parameter specifics are below:

###############
# cleartrust.data.sql.user.attributemap.passwordexpirationstatus :EXPIRATION_STATUS
#
# DESCRIPTION
# Specifies the type of password expiration that has occurred.
#
# ALLOWED VALUES
# NormalExpiration | NewUserExpiration | NormalForcedExpiration | NotExpired
###############
# cleartrust.data.sql.user.attributemap.passwordexpirationstate  :OVERRIDE_POLICY
#
# DESCRIPTION
# Specifies the password expiration date.
#
# ALLOWED VALUES
# Forced | PasswordPolicy
#
# Forced = The password expires on a specified date.
#
# Password Policy = The password policy's expiration date. The value
# is persisted to facilitate the read of the authentication side.
#
# DEFAULT VALUE
# PasswordPolicy
#
# NOTE
# A side effect of the password expiration state not being persisted
# is that a forced password expiration never takes effect because
# the default action is to use the password policy regardless of
# what value is in the password expiration date. Therefore, the
# password expiration date is overwritten with the password policy's
# expiration date if either the password policy or the user account
# is updated.
###############

The cleartrust.data.sql.user.attributemap.passwordexpirationstatus flag has no bearing on the expiration date value itself. Its value is set with a value indicating the password expiration status. Its values are either one of those corresponding to states of "not expired", "forced expired", "expired by time", and "new user expiration".

NOTE: One can revert back from the Forced state to the PasswordPolicy date by using the ct_revert_password_expiration call. This reverts the password expiration date to the value specified by the password policy lifetime associated with the user's administrative group.
Legacy Article IDa22709

Attachments

    Outcomes