Configuring miscellaneous settings

Configure several miscellaneous settings to meet various PCI DSS requirements.

  1. In the user interface, click the Administration tab.
  2. Locate the User Accounts section.
    Figure 1. User accounts settings
    The image shows the User Accounts section. Maximum failed losing (attempts) is set to 6. Old passwords rejected (passwords) is set to 4. Password validity (days) is set to 90. Maximum User period (days) is set to 90. The Enable system account check box is cleared. The following three checkboxes are selected: Password must contain lower case, Password must contain upper case, and Password must contain digits. The following three checkboxes are cleared: Password must contain special character, User account deletion, and Enable extended authentication.
  3. Verify that your settings match or are more restrictive than those in Figure 1. The default values align with PCI DSS 4.0 requirements. If you make changes, ensure that you still meet the requirements.
  4. Click the Interfaces tab and scroll down to the Application Programming Interface section.
    Figure 2. API settings
    The image shows the Application Programming Interface section. Session timeout (seconds) is set to 3600. Session timeout countdown threshold (seconds) is set to 20. The Cross-site request forgery protection checkbox is selected.
  5. Select the Cross-site request forgery protection checkbox. Make sure that Session timeout (seconds) is set to a value of 900 seconds or less.
    Note: If you want to use tested default and secure HTTP headers, ensure that Use custom HTTP headers is disabled.
  6. Scroll up to locate the Message Tracing section under Message Command Interface.
    Figure 3. Message Tracing settings
    The image shows the Message Tracing section. Dump message data is set to Disabled. Dump reformatted messages (#) is set to zero.
  7. Select Disabled from the Dump message data drop-down list. Enter 0 in the Dump malformatted message field.
    Note: The setting is necessary to comply with PCI DSS requirement 3.5.1.
  8. Scroll down to locate the MQ Interface section.
    Figure 4. MQ Interface settings
    The image shows the IBM MQ Interface section. Dump message data is set to Disabled. Dump reformatted messages (#) is set to zero.
  9. Select Disabled from the Dump message data drop-down list. Enter 0 in the Dump malformatted message field.
    Note: The setting is necessary to comply with PCI DSS requirement 3.5.1.
  10. Scroll down to the Kafka Interface section.
  11. Select Disabled from the Dump message data drop-down list. Enter 0 in the Dump malformatted message field.
    Note: The setting is necessary to comply with PCI DSS requirement 3.5.1.
  12. Click the Misc tab and scroll down to the Miscellaneous section.
  13. Verify that SSL cipher list has the following entries:
    ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
    Note: This list might be outdated because new security leaks were discovered in the meantime. The OpenSSL website provides regular security advisories, including information about potential security leaks.

    http://www.openssl.org/