User account, password, and authentication CLI Commands
Use these CLI commands to configure user accounts, passwords, and authentication.
Authenticating GuardAPI commands with set guiuser
Before you can call any GuardAPI commands, you must log in to the command line interface (CLI) with one of the default CLI accounts (guardcli1, guardcli2...guardcli9 ), and then run the set guiuser CLI command. This authentication is required to prevent users with limited roles in the GUI from gaining unauthorized access to GuardAPI commands. For more information about the GuardAPI commands, see Using GuardAPI commands.
Certain GuardAPI commands are available only for certain user roles. For example, you must set the guiuser role to accessmgr and cli to view or use the create_user, set_user_roles, or update_user GuardAPI commands. Create a user and password with appropriate roles from the accessmgr. For more information, see Creating a user who can run GuardAPI commands.
set guiuser
Syntax
set guiuser <gui_user or LDAP user> password <password or LDAP password>
Example
You must run set guiuser whenever you want to use GuardAPI commands. When you set the guiuser for the first time, you are prompted to change the password, as shown in the following example.
$ ssh guardcli2@mycorp.com
IBM
Guardium , Command Line Interface (CLI)
guardcli1@a1.corp.com's password:
Last login: Thu Nov 4 14:56:34 2020 from 123.a1.corp.com
123.a1.corp.com> set guiuser Hadrian.Swall
Enter current password:
First login as Hadrian.Swall. Please change the default password.
Enter new password:
Re-enter new password:
ok
Show command
show guiuser
Password Control Commands
- store password disable: Sets the number of days after which an inactive account is disabled.
- store password expiration: Sets the number of days after which a password expires.
- store password validation: Enables or disables the hardened password validation rules.
Account Lockout Commands
- Enable or disable the feature. See store account lockout.
- Set the maximum number of login failures allowed an account within the specified number of seconds. See store account strike count and store account strike interval.
- Set the maximum number of failures allowed an account for the life of the Guardium appliance. See store account strike max.
- To unlock the admin user account if it becomes locked, see unlock admin..
After a Guardium user account is disabled, users with the accessmgr role, or the admin user, can enable the account from the Guardium portal.
Example
The following example locks out an account, locks an account after five login failures within 60 seconds, and sets the maximum number of failures that are allowed to 999.
store account lockout on
store account strike count 5
store account strike interval 60
store account strike max 999
If the admin user account is locked, use the unlock admin command to unlock it.
If account lockout is enabled, setting the strike count or strike max to zero does not disable that type of check. On the contrary, it means that after just one failure the user account is disabled!
store account lockout
Enables (on) or disables (off) the automatic account lockout feature, which disables a user account after a specified number of login failures.
Syntax
store account lockout <on | off>
Show command
show account lockout
store account strike count
Sets the number of failed login attempts (n) in the configured strike interval before the account is disabled.
Syntax
store account strike count <n>
Show command
show account strike count
store account strike interval
Sets the number of seconds (n) during which the configured number of failed login attempts must occur to disable the account.
Syntax
store account strike interval <n>
Show command
show account strike interval
store account strike max
Sets the maximum number (n) of failed login attempts to be allowed for an account over the life of the server before the account is disabled.
Syntax
store account strike max <n>
Show command
show account strike max
store disable_sha1_passwords
By default, the Guardium GUI user passwords are hashed with a strong password hashing algorithm. The store disable_sha1_passwords CLI command allows admins to remove existing passwords that are weakly hashed from their Guardium appliances.
Syntax
store disable_sha1_passwords [true | false]
Run the store disable_sha1_passwords true command on the central manager and all backup central managers, if applicable.
Example:
>store disable_sha1_passwords true
> User passwords will now be hashed with a strong password hashing algorithm.
>store disable_sha1_passwords false
> User passwords will now be hashed with a weak password hashing algorithm.
Weak password hashing algorithms may violate your company compliance requirements.
Show command
show disable_sha1_passwords
The show command returns the current settings for password hashing.
Example:
>show disable_sha1_passwords
>SHA1 passwords are allowed.
store guarduser_state
From the cli account for your Guardium appliance, you can now enable or disable the guardclin (that is guardcli1 to guardcli9 ) login IDs. You can only change or show the status of one ID at a time.
store guarduser_state <disable|enable> <guardcli1..guardcli9
>
store guarduser_state disable guardcli4
show guarduser_state guardcli4
store password disable
Sets the number of days of inactivity after which user accounts are disabled. When set to 0 (zero), no accounts are disabled by inactivity. At installation, the default value is zero. You must restart the GUI after you change this setting (see restart gui).
Syntax
store password disable <days>
Show command
show password disable
store password expiration
Sets the number of days until a user's password expires. The default value is 60 for cli and guardcli1 - guardcli9 users, and 90 for gui users. The minimum is 1 for cli and guardcli1 - guardcli9 and 0 for gui.
Syntax
store password expiration [cli | guardcli1 - guardcli9 | gui] <days>
-
- cli: The CLI user.
- guardcli1 through guardcli9: One of the guardcli users.
- gui: The GUI user. If you change the GUI password expiration, you must restart the GUI.
- <days>: The number of days before the password expires.
- The maximum number of days for cli and guardcli users is 60.
- For gui users only, you can disable the password expiration in practice by setting the expiration days to a very high number (up to 7300 days, or 20 years).
The account user is prompted to reset the password the first time they log in after the current password expires.
Show command
show password expiration
store password requirements
If store strong_password_enable is enabled, then you can specify certain password requirements for cli and guardcli accounts to meet your corporate standards.
Syntax
store password requirements <parameter> <number>
Parameter | Meaning |
---|---|
max_repeats | Specify the maximum number of characters of a single type (that is: digits, upper case letters, lower case letters, or symbols) that can be consecutively repeated in a password. |
minimum_length | Specify the minimum password length. |
minimum_digits | Specify the minimum required number of digits (0 - 9). |
minimum_lower | Specify the minimum required number of lower case letters (a - z). |
minimum_upper | Specify the minimum required number of upper case letters (A - Z). |
minimum_symbols | Specify the minimum required number of special characters (from Table 2). |
Example
>store password requirements max_repeats 2
>store password requirements minimum_digits 2
Show command
show password requirements
Sample output
> show password requirements
Passwords must conform to the following rules:
cannot be a dictionary word
maximum repeated characters: 2
maximum repeated characters within a class: 4
minimum digits: 2
minimum length: 15
minimum lower case: 3
minimum symbols: 1
minimum upper case: 3
At least one each of digits, uppercase, lowercase, symbols.
store password validation
Turns password validation on or off. The default value is on. Running this command restarts the GUI to apply this setting.
- An uppercase letter (A-Z)
- A lowercase letter (a-z)
- A number (0-9)
- A special character from Table 2
Syntax
store password validation <on | off>
Show command
show password validation
Character | Description |
---|---|
@ | At sign |
# | Number sign |
$ | Dollar sign |
% | Percent sign |
^ | Circumflex accent (carat) |
& | Ampersand |
. | Full stop (Period) |
; | Semicolon |
! | Exclamation mark |
- | Hyphen (minus) |
+ | Plus sign |
= | Equals sign |
_ | Underscore |
store strong_password_enable
Use this command to enable or disable strong password checking. This setting applies only to local passwords and does not affect passwords that are validated against external directories such as LDAP. Restart the Guardium GUI for the changes to take effect.
Strong passwords must be at least 15 characters and follow the rules that are described in store password validation.
If strong passwords are enabled, you can use store password requirements to specify your own password validation rules.
In addition, when strong_password_enableis on, Guardium ensures that the GUI password is not expired, based on the value of the store password expiration command.
Syntax
store strong_password_enable [on|off]
Show command
show strong_password_enable
store user password
Use this command to reset the CLI user password. To simplify the support process, Guardium suggests that you keep the CLI user password assigned initially by Guardium. You cannot retrieve the CLI user password after it is set. If you lose this password, contact Guardium Support to have it reset.
Syntax
store user password
You are prompted to enter the current password, and then the new password (twice). The password values that you enter on the keyboard do not display on the screen.
- Lowercase letters
- Uppercase letters
- Special characters from Table 2.
Running this CLI command also updates the change-time record in the password expiration file.
unlock accessmgr
Use this command to enable the Guardium accessmgr user account after it is disabled. This command does not reset the accessmgr user account password.
Syntax
unlock accessmgr
restart gui
unlock admin
Use this command to enable the Guardium admin user account after it is disabled. This command does not reset the admin user account password.
Syntax
unlock admin
restart gui
Authentication commands
The following commands display or control the type of authentication used.
store auth
Use this command to reset the type of authentication that is used for login to the Guardium appliance, to SQL_GUARD (that is, the local Guardium authentication, the default).
Syntax
store auth SQL_GUARD
Show command
show auth
store cli_userauth
CLI users can be authenticated locally or by LDAP, but not both.
To enable LDAP authentication for CLI users, including GUARDCLI accounts, use the following command:
Syntax
store cli_userauth ldap --server <server> --basedn<basedn> --rdntype<rdntype> [port number] [usetls]
Note: The default TLS port number is 636 and the default plain is 389.
Example:
store cli_userauth ldap --server ldapserver.example.com --basedn ou=people,dc=guardium,dc=example,dc=com --rdntype uid
Validating server and port:
OK
Configuring LDAP authentication with
Server: 'ldapserver.example.com'
Port: '389'
Basedn: 'ou=people,dc=guardium,dc=example,dc=com'
RDN Type: 'uid'
Use TLS: '0'
Please confirm [y/n] y
Authentication is set to LDAP
OK
When LDAP authentication is enabled, the following commands are not available:
show password expiration cli
store password expiration cli
store user password
The following message is displayed when you run these commands:
CLI user authentication is managed externally. Please contact your system administrators.
To disable LDAP authentication for CLI users, including GUARDCLI accounts, use the following command:
Syntax
store cli_userauth default
Show command
show cli_userauth [details]