chsecurity

Use the chsecurity command to change the security settings for a system.

Syntax

Parameters

Remember: You must specify -sslprotocol or -sshprotocol, not both.

-sslprotocol security_level

(Required) Specifies the numeric value for the SSL security level setting, which can take any value from 1 to 4. A setting of 3 is the default value.

Use these sslprotocol security level settings.

1 Disallows SSL 3.0.
2 Allows TLS 1.2 only.
3 Additionally disallows TLS 1.2 cipher suites that are not exclusive to 1.2.
4 Additionally disallows RSA key exchange ciphers and static key exchange ciphers.

This parameter cannot be run with any other parameters.

Changing the SSL security level might disable the GUI connection on older web browsers. If connection is lost, use the CLI prompt to change the security level back to a known good level.

-sshprotocol security_level

(Required) Specifies the numeric value for the SSH security level setting, which can take a value of 1 or 2. A setting of 1 is the default value.

Use these sshprotocol security level settings.

1 Allows the following key exchange methods:
- curve25519-sha256
- curve25519-sha256@libssh.org
- ecdh-sha2-nistp256
- ecdh-sha2-nistp384
- ecdh-sha2-nistp521
- diffie-hellman-group-exchange-sha256
- diffie-hellman-group16-sha512
- diffie-hellman-group18-sha512
- diffie-hellman-group14-sha256
- diffie-hellman-group14-sha1
- diffie-hellman-group1-sha1
- diffie-hellman-group-exchange-sha1
2 Allows the following key exchange methods:
- curve25519-sha256
- curve25519-sha256@libssh.org
- ecdh-sha2-nistp256
- ecdh-sha2-nistp384
- ecdh-sha2-nistp521
- diffie-hellman-group-exchange-sha256
- diffie-hellman-group16-sha512
- diffie-hellman-group18-sha512
- diffie-hellman-group14-sha256
- diffie-hellman-group14-sha1

This parameter cannot be run with any other parameters.

Changing the SSH security level might log out existing SSH sessions.

-guitimeout gui_timeout_mins

(Optional) Specifies the amount of time (in minutes) before a session expires and the user is logged out of the GUI for inactivity. The value must be an integer in the range 5 - 240.

-clitimeout cli_timeout_mins

(Optional) Specifies the amount of time (in minutes) before a session expires and the user is logged out of the CLI for inactivity. The value must be an integer in the range 5 - 240.

-minpasswordlength min_password_length

(Optional) Specifies the minimum length requirement for user account passwords on the system. The value must be an integer in the range 6 - 64.

-passwordspecialchars password_special_chars

(Optional) Specifies how many special characters are required in passwords for local users. A value of 0 means that no special characters are required. The value must be an integer in the range 0 - 3.

-passworduppercase password_upper_case

(Optional) Specifies how many uppercase characters are required in passwords for local users. A value of 0 means that no uppercase characters are required. The value must be an integer in the range 0 - 3.

-passwordlowercase password_lower_case

(Optional) Specifies how many lowercase characters are required in passwords for local users. A value of 0 means that no lowercase characters are required. The value must be an integer in the range 0 - 3.

-passworddigits password_digits

(Optional) Specifies how many digits are required in passwords for local users. A value of 0 means that no numbers are required. The value must be an integer in the range 0 - 3.

-checkpasswordhistory yes | no

(Optional) Specifies whether the system prevents the user from reusing a previous password. The value is either yes or no. This parameter is not supported on the FlashSystem 5010, FlashSystem 5015, FlashSystem 5030, and FlashSystem 5035.

-maxpasswordhistory max_password_history

(Optional) Specifies the number of previous passwords to compare with if checkpasswordhistory is enabled. A value of 0 means that the new password is compared with the current password only. The value must be an integer in the range 0 - 10.

-minpasswordage min_password_age_days

(Optional) Specifies the minimum number of days between password changes. This setting is enforced if checkpasswordhistory is enabled. This restriction is ignored if the password is expired. The setting does nothing if the value is greater than the passwordexpiry value. The value must be an integer in the range 0 - 365.

-passwordexpiry password_expiry_days

(Optional) Specifies the number of days before a password expires. A value of 0 means the feature is disabled and passwords do not expire. The value must be an integer in the range 0 - 365.

-expirywarning expiry_warning_days

(Optional) Specifies how many days before a password expires to raise a warning. The warning is displayed on every CLI login until the password is changed. A value of 0 means that the feature is disabled and warnings are not displayed. The value must be an integer in the range 0 - 30.

-superuserlocking enable | disable

(Optional) Specifies whether the locking policy that is configured on the system also applies to the superuser. The value is either enable or disable. This parameter is only supported on systems with a dedicated technician port.

-maxfailedlogins max_failed_login_attempts

(Optional) Specifies the number of failed login attempts before the user account is locked for the amount of time that is specified in lockoutperiod. A value of 0 means that the feature is disabled and accounts are not locked out after failed login attempts. The value must be an integer in the range 0 - 10.

-lockoutperiod lockout_period_mins

(Optional) Specifies the number of minutes that a user is locked out for if the max failed logins value is reached. A value of 0 implies the user is indefinitely locked out when the max failed login attempts are reached. The value must be an integer in the range 0 - 10080.

-resetpolicy

(Optional) Resets all of the security settings to their default values. A yes / no warning prompt is displayed to confirm the action. This parameter cannot be run with any other parameters.

Description

This command changes the security settings on a system.

Important: If you use SSL or TLS, changing the security might disrupt these services.

Use this procedure if disruption occurs.

Wait 5 minutes and try again. (Wait for any services to restart.)
Confirm that the SSL or TLS implementation is up-to-date and supports the specified level of security.
If necessary, revert to an earlier version of SSL or TLS security.

An invocation example

chsecurity -sslprotocol 4

The resulting output

Changing the system security settings could result in a loss of access to the system via SSH or the management GUI.
 Refer to the Command Line Interface help for more information about the risks associated with each parameter. Are you sure you wish to continue? (y/yes to confirm)

An invocation example

chsecurity -sshprotocol 2

The resulting output

Changing the system security settings could result in a loss of access to the system via SSH or the management GUI.
 Refer to the Command Line Interface help for more information about the risks associated with each parameter. Are you sure you wish to continue? (y/yes to confirm)

Invocation examples

chsecurity -minpasswordlength 12
No feedback

chsecurity -minpasswordlength 5
CMMVC5702E [5] is below the minimum level.

chsecurity -minpasswordlength 65
CMMVC5703E The value or list starting with [65] is above the maximum permitted for that value or has exceeded the number of items allowed in a list.

chsecurity -guitimeout 60
No feedback

chsecurity -guitimeout 4
CMMVC5702E [4] is below the minimum level.

chsecurity -guitimeout 241
CMMVC5703E The value or list starting with [241] is above the maximum permitted for that value or has exceeded the number of items allowed in a list.

chsecurity -clitimeout 60
No feedback

chsecurity -clitimeout 4
CMMVC5702E [4] is below the minimum level.

chsecurity -clitimeout 241
CMMVC5703E The value or list starting with [241] is above the maximum permitted for that value or has exceeded the number of items allowed in a list.

chsecurity -superuserlocking enable
Changing the system security settings could result in a loss of access to the system via SSH or the management GUI. Refer to the Command Line Interface help for more information about the risks associated with each parameter. Are you sure you wish to continue? (y/yes to confirm)

chsecurity -superuserlocking enable
CMMVC9608E The command failed because superuser locking is only supported on platforms with a dedicated technician port.

chsecurity -maxfailedlogins 14
CMMVC5703E The value or list starting with [14] is above the maximum permitted for that value or has exceeded the number of items allowed in a list.

chsecurity -maxfailedlogins 4
No feedback

chsecurity -lockoutperiod 20400
CMMVC5703E The value or list starting with [20400] is above the maximum permitted for that value or has exceeded the number of items allowed in a list.

chsecurity -lockoutperiod 60
No feedback

chsecurity -lockoutperiod 0
No feedback

chsecurity -passwordexpiry 90
No feedback

chsecurity -passwordexpiry 60 -expirywarning 14
No feedback

chsecurity -checkpasswordhistory yes
No feedback

chsecurity -maxpasswordhistory 3
No feedback

chsecurity -minpasswordage 1
No feedback

svctask setpwdreset -disable
CMMVC1234E The command failed because superuser password reset cannot be disabled while superuser locking is enabled.

svctask chsecurity -passwordspecialchars 0
No feedback

svctask chsecurity -passworddigits 1
No feedback

svctask chsecurity -passwordlowercase 2
No feedback

svctask chsecurity -passworduppercase 3
No feedback

svctask chsecurity -passworduppercase 4
CMMVC5703E The value or list starting with [4] is above the maximum permitted for that value or has exceeded the number of items allowed in a list.

chsecurity -resetpolicy
Changing the system security settings could result in a loss of access to the system via SSH or the management GUI. Refer to the Command Line Interface help for more information about the risks associated with each parameter. Are you sure you wish to continue? (y/yes to confirm)