Password policy

The password policy applies to all passwords in IBM® Security Guardium® Key Lifecycle Manager. For example, passwords for users, export files, backup files, replication backup files, and so on. The policy is specified in the SKLM_DATA/config/TKLMPasswordPolicy.xml file.

The policy does not apply to the initial passwords that are created for default users such as SKLMAdmin. These default users are created during IBM Security Guardium Key Lifecycle Manager installation.

The password policy applies to changes to passwords for default users, and to new and changed passwords for new users. Policy checking is done only when you create or change a user profile. You must assign a role to a new user before that user attempts to log in to IBM Security Guardium Key Lifecycle Manager.

The password policy is enabled by default. You can use an XML or ASCII editor to change this file. To disable the policy, change the value of the enabled parameter in the policy file to false:
PasswordPolicy enabled="true"

For more information, see Changing the password policy.

IBM Security Guardium Key Lifecycle Manager supports these password rules:
Table 1. Password rules. Password policy rules
Rule Default value
Minimum length 8
Maximum length 20
Note: Ensure that the value does not exceed 127.
Minimum number of numeric characters 2
Minimum number of alphabetic characters 3
Maximum number of consecutive occurrences of the same character 2
Upper-case characters At least 1
Note: This is a non-configurable rule.
Lower-case characters At least 1
Note: This is a non-configurable rule.
Special characters

The special character requirement is not enforced when imcl tool is used for silent installation.

For more information, see https://www.ibm.com/support/pages/supported-special-characters-ibm-security-key-lifecycle-manager-passwords.

Allowed: ~@_/+:

Disallowed: `!#$%^&*()=}{][|"';?.<,>-
Disallow the presence of the user ID* in the password Enabled
Disallow the presence of the user name* in the password Enabled

* Detection of this value is case-sensitive.

Note: To specify that the value is not case-sensitive, edit the default password policy and specify CaseInsensitive for the user ID and user name: 
<?xml version="1.0" encoding="UTF-8"?>
<PasswordPolicy enabled="true" name="Password policy for TKLM"
	uuid="" version="1.0">
	<Description />
  <PasswordRules><![CDATA[<?xml version="1.0" encoding="UTF-8"?> 
       <PasswordRuleSet version="1.0">
         <MinLengthConstraint Min="8"/>
         <MaxLengthConstraint Max="20"/>
         <MaxSequentialChars Max="2"/>
         <MinAlphabeticCharacters Min="3"/>
         <MinDigitCharacters  Min="2"/>
         <MayNotContain CharList="`!#$%^&*()=}{][|"';?.<,>-"/>
         <MustContain CharList="~@_/+:"/>
         <NotUserID/>
         <NotUserName/>
     </PasswordRuleSet>
  ]]></PasswordRules>
</PasswordPolicy>