User account, password, and authentication CLI Commands

Use these CLI commands to configure user accounts, passwords, and authentication.

Authenticating GuardAPI commands with set guiuser

Before you can call any GuardAPI commands, you must log in to the command line interface (CLI) with one of the default CLI accounts (guardcli1, guardcli2...guardcli9 ), and then run the set guiuser CLI command. This authentication is required to prevent users with limited roles in the GUI from gaining unauthorized access to GuardAPI commands. For more information about the GuardAPI commands, see Using GuardAPI commands.

Certain GuardAPI commands are available only for certain user roles. For example, you must set the guiuser role to accessmgr and cli to view or use the create_user, set_user_roles, or update_user GuardAPI commands. Create a user and password with appropriate roles from the accessmgr. For more information, see Creating a user who can run GuardAPI commands.

set guiuser

To use the guardclin accounts with GuardAPI commands, you must use set guiuser to associate the guardclin account to the local user and password.

Note: If LDAP authentication is used, enter the LDAP user and LDAP password as the local user and password.

Syntax

set guiuser <gui_user or LDAP user> password <password or LDAP password>

Example

You must run set guiuser whenever you want to use GuardAPI commands. When you set the guiuser for the first time, you are prompted to change the password, as shown in the following example.

$ ssh guardcli2@mycorp.com
IBM Security Guardium , Command Line Interface (CLI)
guardcli1@a1.corp.com's password:
Last login: Thu Nov  4 14:56:34 2020 from 123.a1.corp.com
123.a1.corp.com> set guiuser Hadrian.Swall
Enter current password:
First login as Hadrian.Swall. Please change the default password.
Enter new password:
Re-enter new password:
ok

Note: When you change the password, you cannot reuse the last 10 passwords.

Show command

show guiuser

Password Control Commands

Use the following commands to control user passwords, as follows:

store password disable: Sets the number of days after which an inactive account is disabled.
store password expiration: Sets the number of days after which a password expires.
store password validation: Enables or disables the hardened password validation rules.

Account Lockout Commands

Use the account lockout commands to disable a Guardium user account after one or more failed login attempts. Use these commands to:

Enable or disable the feature. See store account lockout.
Set the maximum number of login failures allowed an account within the specified number of seconds. See store account strike count and store account strike interval.
Set the maximum number of failures allowed an account for the life of the Guardium appliance. See store account strike max.
To unlock the admin user account if it becomes locked, see unlock admin..

After a Guardium user account is disabled, users with the accessmgr role, or the admin user, can enable the account from the Guardium portal.

Example

The following example locks out an account, locks an account after five login failures within 60 seconds, and sets the maximum number of failures that are allowed to 999.

store account lockout on 
store account strike count 5 
store account strike interval 60 
store account strike max 999

Note:

If the admin user account is locked, use the unlock admin command to unlock it.

If account lockout is enabled, setting the strike count or strike max to zero does not disable that type of check. On the contrary, it means that after just one failure the user account is disabled!

store account lockout

Enables (on) or disables (off) the automatic account lockout feature, which disables a user account after a specified number of login failures.

Syntax

store account lockout <on | off>

Show command

show account lockout

store account strike count

Sets the number of failed login attempts (n) in the configured strike interval before the account is disabled.

Syntax

store account strike count <n>

Show command

show account strike count

store account strike interval

Sets the number of seconds (n) during which the configured number of failed login attempts must occur to disable the account.

Syntax

store account strike interval <n>

Show command

show account strike interval

store account strike max

Sets the maximum number (n) of failed login attempts to be allowed for an account over the life of the server before the account is disabled.

Syntax

store account strike max <n>

Show command

show account strike max

store disable_sha1_passwords

By default, the Guardium GUI user passwords are hashed with a strong password hashing algorithm. The store disable_sha1_passwords CLI command allows admins to remove existing passwords that are weakly hashed from their Guardium appliances.

Note: In an upgrade scenario, this command removes only weak passwords for users who have logged in since the upgrade.

Syntax

store disable_sha1_passwords [true | false]

Run the store disable_sha1_passwords true command on the central manager and all backup central managers, if applicable.

Example:

>store disable_sha1_passwords true
> User passwords will now be hashed with a strong password hashing algorithm.

>store disable_sha1_passwords false
> User passwords will now be hashed with a weak password hashing algorithm.
Weak password hashing algorithms may violate your company compliance requirements.

Show command

show disable_sha1_passwords

The show command returns the current settings for password hashing.

Example:

>show disable_sha1_passwords 
>SHA1 passwords are allowed.

Note: In an upgrade scenario, the show command returns the users who have not logged in since the upgrade.

store guarduser_state

From the cli account for your Guardium appliance, you can now enable or disable the guardclin (that is guardcli1 to guardcli9 ) login IDs. You can only change or show the status of one ID at a time.

Syntax

store guarduser_state <disable|enable> <guardcli1..guardcli9
>

For example, to disable guardcli4:

store guarduser_state disable guardcli4

Show command

show guarduser_state guardcli4

store password disable

Sets the number of days of inactivity after which user accounts are disabled. When set to 0 (zero), no accounts are disabled by inactivity. At installation, the default value is zero. You must restart the GUI after you change this setting (see restart gui).

Syntax

store password disable <days>

Show command

show password disable

store password expiration

Sets the number of days until a user's password expires. The default value is 60 for cli and guardcli1 - guardcli9 users, and 90 for gui users. The minimum is 1 for cli and guardcli1 - guardcli9 and 0 for gui.

Syntax

store password expiration [cli | guardcli1 - guardcli9 | gui] <days>

Where:

- cli: The CLI user.
- guardcli1 through guardcli9: One of the guardcli users.
- gui: The GUI user. If you change the GUI password expiration, you must restart the GUI.
<days>: The number of days before the password expires.
- The maximum number of days for cli and guardcli users is 60.
- For gui users only, you can disable the password expiration in practice by setting the expiration days to a very high number (up to 7300 days, or 20 years).
The account user is prompted to reset the password the first time they log in after the current password expires.

Show command

show password expiration

store password requirements

If store strong_password_enable is enabled, then you can specify certain password requirements for cli and guardcli accounts to meet your corporate standards.

Syntax

store password requirements <parameter> <number>

Where parameter is one of the parameters in the following table, and number is the requirement for that parameter.

Table 1. Parameters for store password requirements CLI
Parameter	Meaning
max_repeats	Specify the maximum number of characters of a single type (that is: digits, upper case letters, lower case letters, or symbols) that can be consecutively repeated in a password.
minimum_length	Specify the minimum password length.
minimum_digits	Specify the minimum required number of digits (0 - 9).
minimum_lower	Specify the minimum required number of lower case letters (a - z).
minimum_upper	Specify the minimum required number of upper case letters (A - Z).
minimum_symbols	Specify the minimum required number of special characters (from Table 2).

Example

>store password requirements max_repeats 2
>store password requirements minimum_digits 2

Show command

show password requirements

Sample output

> show password requirements
Passwords must conform to the following rules:
    cannot be a dictionary word
    maximum repeated characters: 2
    maximum repeated characters within a class: 4
    minimum digits: 2
    minimum length: 15
    minimum lower case: 3
    minimum symbols: 1
    minimum upper case: 3
    At least one each of digits, uppercase, lowercase, symbols.

store password validation

Turns password validation on or off. The default value is on. Running this command restarts the GUI to apply this setting.

When password validation is enabled, passwords must be eight or more characters long, and must include at least one of each:

An uppercase letter (A-Z)
A lowercase letter (a-z)
A number (0-9)
A special character from Table 2

When password validation is disabled (not recommended), any length or combination of characters is allowed.

Syntax

store password validation <on | off>

Show command

show password validation

Table 2. Special characters for Guardium passwords
Character	Description
@	At sign
#	Number sign
$	Dollar sign
%	Percent sign
^	Circumflex accent (carat)
&	Ampersand
.	Full stop (Period)
;	Semicolon
!	Exclamation mark
-	Hyphen (minus)
+	Plus sign
=	Equals sign
_	Underscore

store strong_password_enable

Use this command to enable or disable strong password checking. This setting applies only to local passwords and does not affect passwords that are validated against external directories such as LDAP. Restart the Guardium GUI for the changes to take effect.

Strong passwords must be at least 15 characters and follow the rules that are described in store password validation.

If strong passwords are enabled, you can use store password requirements to specify your own password validation rules.

In addition, when strong_password_enableis on, Guardium ensures that the GUI password is not expired, based on the value of the store password expiration command.

Syntax

store strong_password_enable [on|off]

Show command

show strong_password_enable

store user password

Use this command to reset the CLI user password. To simplify the support process, Guardium suggests that you keep the CLI user password assigned initially by Guardium. You cannot retrieve the CLI user password after it is set. If you lose this password, contact Guardium Support to have it reset.

Syntax

store user password

You are prompted to enter the current password, and then the new password (twice). The password values that you enter on the keyboard do not display on the screen.

The CLI user password requirements differ from the requirements for user passwords. The CLI user password must be at least 8 characters long, and must contain at least one each of the following types of characters:

Lowercase letters
Uppercase letters
Special characters from Table 2.

Running this CLI command also updates the change-time record in the password expiration file.

unlock accessmgr

Use this command to enable the Guardium accessmgr user account after it is disabled. This command does not reset the accessmgr user account password.

Note: Only users with admin role are allowed to run this CLI command.

Syntax

unlock accessmgr

restart gui

unlock admin

Use this command to enable the Guardium admin user account after it is disabled. This command does not reset the admin user account password.

Note: Only users with admin role are allowed to run this CLI command.

Syntax

unlock admin

restart gui

Authentication commands

The following commands display or control the type of authentication used.

store auth

Use this command to reset the type of authentication that is used for login to the Guardium appliance, to SQL_GUARD (that is, the local Guardium authentication, the default).

Syntax

store auth SQL_GUARD

Show command

show auth

store cli_userauth

CLI users can be authenticated locally or by LDAP, but not both.

To enable LDAP authentication for CLI users, including GUARDCLI accounts, use the following command:

Syntax

store cli_userauth ldap --server <server> --basedn<basedn> --rdntype<rdntype> [port number] [usetls]

Note: The default TLS port number is 636 and the default plain is 389.

Example:

store cli_userauth ldap --server ldapserver.example.com --basedn ou=people,dc=guardium,dc=example,dc=com --rdntype uid
Validating server and port:
OK
Configuring LDAP authentication with
Server:   'ldapserver.example.com'
Port:     '389'
Basedn:   'ou=people,dc=guardium,dc=example,dc=com'
RDN Type: 'uid'
Use TLS:  '0'
Please confirm [y/n] y
Authentication is set to LDAP
OK

Note: Trusted certificates that are required for LDAP with SSL option must be imported from the GUI.

When LDAP authentication is enabled, the following commands are not available:

show password expiration cli
store password expiration cli
store user password

The following message is displayed when you run these commands:

CLI user authentication is managed externally. Please contact your system administrators.

To disable LDAP authentication for CLI users, including GUARDCLI accounts, use the following command:

Syntax

store cli_userauth default

Show command

show cli_userauth [details]