This section describes properties that can be configured for each security domain. These properties define the rules for managing security issues, such as auditing and password expiration. The default property values define the initial rules that apply to the default domain. You can modify the rules for a domain by configuring these domain-specific properties using either Enterprise Security Manager or SMAPI. For more information, see Chapter 5, “Delegated Administration.”
The property in Table 15-9 defines how often the domain-specific properties are refreshed.
Property name |
Default value |
Description |
---|---|---|
propertyRefreshTimeInterval |
60 (seconds) |
Defines how often the properties for this domain are refreshed. |
Table 15-10 describes the domain-specific account expiration properties.
Property name |
Default value |
Description |
---|---|---|
defaultAccountExpirationDuration |
0 |
The number of days any account (active or inactive) remains valid. If set to 0, accounts remain valid indefinitely. |
inactivityExpirationDuration |
0 |
The number of days an inactive account remains valid. If set to 0, inactive accounts remain valid indefinitely. |
Table 15-11 describes the domain-specific account lock properties.
Property name |
Default value |
Description |
---|---|---|
allowedInvalidLoginAttempts |
3 |
The number of invalid login attempts users are allowed before their account is locked. |
allowedInvalidAccessAttempts |
5 |
The number of invalid access attempts users are allowed before their account authorization is locked. |
authCountTimeSpan |
1440 (minutes) |
The number of minutes during which unauthorized attempts to access security objects are counted. |
authLockEnable |
true |
Set to true to enable the system to lock out users after a specified number of attempts to access a security object that they do not have permission to access. |
authLockPeriod |
-1 |
The duration of an authorization lockout. |
closeSessionOnAuthLock |
true |
Set to true to terminate users’ sessions when their authorization is locked. |
loginClearHistory |
true |
Set to true to delete information about invalid log-in attempts when users successfully log in. |
loginCountTimeSpan |
60 |
The number of minutes during which the number of invalid login attempts are counted. |
loginLockEnable |
true |
Set to true to enable the system to lock out users after a specified number of invalid log-in attempts. |
loginLockOnAuthLock |
true |
Set to true to prevent users from logging in when their authorization is locked. |
loginLockPeriod |
-1 |
The duration of a lockout. Specify one of:
|
Table 15-12 describes the domain-specific auditing properties. For more information about auditing, see Chapter 6, “Auditing.”
Property name |
Default value |
Description |
---|---|---|
auditEnable |
false |
Specifies whether auditing is enabled for this domain. |
auditExcludeFilter |
Specifies which events to exclude from auditing; applied after auditIncludeFilter. |
|
auditIncludeFilter |
(ResourceClass= SYSTEM.*) |
Specifies which events to audit. |
auditJMSEnable |
false. |
Specifies whether to send audit records to a JMS topic, in addition to the primary logging location defined by auditSPI. |
auditSubjectDNEnable |
false |
Specifies whether to include the subject DN in auditing records. If set to true, the subject DN is added to the XML audit record column, and is available to insert in the Subject DN column—see Table 6-12. If set to true, performance may be slower. |
auditSuspendOnFailure |
false |
Specifies whether to suspend auditing when errors occur writing an audit record. |
Table 15-13 describes the domain-specific password properties.
Property name |
Default value |
Description |
---|---|---|
passwordDuration |
0 |
Specifies how many days a password remains valid after it is set. This value affects all users, except those explicitly excluded from this policy. You can also specify the password duration in months or years; for example:
|
expiredPasswordChangeWindow |
0 |
The number of days after a password expires that users are allowed to change their password. |
passwordStrengthVerification |
(String)null |
The name of the password-strength verification component. See “Configuring the sample password-strength verification component”. |