OpenVMS Password Policysm Documentation
The steps to start using the PARSEC Group OpenVMS Password Policysm are:
- Request a license for each system from PARSEC Group. Provide the necessary information:
- Integrity Servers: Node name and number of cores
- Alpha: Node name
- VAX: Node name
- Install the license using VMSLICENSE.COM.
- Install the password policy.
- Edit PG$PASSWORD_SYSTARTUP.COM to configure the policy.
- Execute PG$PASSWORD_STARTUP.COM to start the policy.
- Modify the startup procedures to start the policy each time the system is booted.
Character Sets
There are four classifications of characters as used by the password policy. They are:
- Upper-case
This includes all upper-case characters A-Z. - Lower-case
This includes all lower-case characters a-z (available with OpenVMS V7.3-2 and later). These are not allowed on accounts which do not have the pwdmix flag set. Any portion of the password policy relating to lower-case characters is ignored for those accounts. - Numeric
This includes the numbers 0-9. - Other
This includes all punctuation and other characters. For accounts which do not have the pwdmix flag set, this is the dollar sign and underscore characters ($ _). For accounts which do have the pwdmix flag set, this includes almost every printable character.
System Requirements
One of the following versions of OpenVMS is required:
- OpenVMS I64 V8.2 or later
- OpenVMS Alpha V6.2 or later
- OpenVMS VAX V6.2 or later
Startup and Shutdown
The OpenVMS Password Policysm is started using the SYS$STARTUP:PG$PASSWORD_STARTUP.COM command procedure. This procedure:
- Executes SYS$MANAGER:PG$PASSWORD_SYSTARTUP.COM to define logical names for defining the policy and configuring other options.
- Installs the executable image that enforces the policy.
- Sets the LOAD_PWD_POLICY system parameter.
- Restarts the ACME (Authentication and Credential Management Extensions) server if it is running.
The policy may be shut down using SYS$STARTUP:PG$PASSWORD_SHUTDOWN.COM. This procedure:
- Resets the LOAD_PWD_POLICY system parameter.
- Restarts the ACME server if it is running.
- Uninstalls the executable image that enforces the policy.
Logical Names
Logical names are used to configure the OpenVMS Password Policysm. Each of these logical names must be defined system-wide or cluster-wide in executive mode. These are normally defined in SYS$MANAGER:PG$PASSWORD_SYSTARTUP.COM.
- PG$PASSWORD_MIN_GROUPS
This specifies the minumum number of character sets required to be included in the password. The default value of 3 means that each password must include characters in at least three of the four classifications of characters described above. For accounts which do not have the pwdmix flag set, the value greater is limited to 3 since lower-case characters are not allowed in the password for those accounts. - PG$PASSWORD_MIN_UPPER
This specifies the minimum number of upper-case characters required to be included in the password. The default value of 0 does not set a minimum on this set of characters. - PG$PASSWORD_MIN_LOWER
This specifies the minimum number of lower-case characters required to be included in the password. The default value of 0 does not set a minimum on this set of characters. - PG$PASSWORD_MIN_NUMERIC
This specifies the minimum number of numeric characters required to be included in the password. The default value of 0 does not set a minimum on this set of characters. - PG$PASSWORD_MIN_OTHER
This specifies the minimum number of non-alphanumeric characters required to be included in the password. The default value of 0 does not set a minimum on this set of characters. - PG$PASSWORD_MAX_REPEAT
This specifies the maximum number of consecutive characters allowed in the password. The default value of 2 prevents the use of AAA764B since the character A has been repeated more than two times. - PG$PASSWORD_MAX_SEQUENCE
This specifies the maximum adjacent characters, such as ABC or 987, allowed in the password. The default value of 3 prevents the use of A5678_J since 5678 is more than 3 sequential characters. - PG$PASSWORD_MIN_LENGTH
This specifies the minimum length for acceptible passwords. OpenVMS allows setting a minimum password length for each account. This provides a system-wide minimum. - PG$PASSWORD_MAX_CHECK
When defined to a non-zero value, this sets the maximum number of characters to be checked in the password. This allows the password to be enforced in the first portion of the password while still allowing longer passwords to be used. If not defined, the default is to check the entire password. - PG$PASSWORD_CHECK_USERNAME
If defined to a non-zero value, this disallows a password which contains the username as a portion of the password. For example, the password 2SMITH500 will not be allowed for the username SMITH. The check against the username is not case sensitive. By default, this check is enabled. - PG$PASSWORD_CHECK_OWNER
If defined to a non-zero value, this disallows a password which contains any component of the owner field which has more than one character. For example, the password 2SMITH500 will not be allowed for an account which has the owner field set to "John R Smith". The letter R will be allowed in the password since this is a single character. This check is not case sensitive. By default, this check is enabled. - PG$PASSWORD_VERBOSE
If defined to a non-zero value, messages will be displayed to the user indicating which portion of the password policy is not met when attempting to set an unacceptible password. By default, this is not enabled.
Note: Do not enable this feature when using the ACME enabled version of LOGINOUT. This may be checked by looking for ACMELOGIN in the output from PRODUCT SHOW HISTORY. - PG$PASSWORD_CHECK_HASH
When defined to a non-zero value, the hashed value of the password is checked for either half containing a value of 0 or -1. By default, this check is enabled.
For additional information, to request a demo license, or to purchase the OpenVMS Password Policysm, please contact us at 888-4PARSEC, send an e-mail to experts@parsec.com or use our inquiry form.