Lockouts

You can use lockouts to lock a single user, or all users, out of TADDM if the configured number of failed login attempts allowed is exceeded. Using the lockout feature provides better authentication control and helps to prevent the use of brute-force password cracking.

A local lockout is triggered if a single user exceeds the configured number of failed login attempts. As a result, the user cannot log in to TADDM for a configured length of time.

When a global lockout is triggered, no users can log in to TADDM for a configured length of time. A global lockout is triggered by one of the following two situations:
  • The number of active lockouts for different users exceeds the configured number of maximum global lockouts allowed.
  • The number of failed login attempts for unique user names exceeds the configured limit.

When a lockout is triggered, existing sessions are not affected.

You can specify the number of failed login attempts allowed and the length of time for which a lockout remains active by configuring properties in the collation.properties file. For more information about these properties, see Lockout properties.

When a global lockout time elapses, any local lockouts in progress are automatically cleared.

In a synchronization server deployment, the synchronization server controls the security of all TADDM domains. Any lockouts that were active on the domain server before it was connected to the synchronization server are cleared when synchronization between the domain server and the synchronization server is enabled.

The failed login attempts that count towards the total can be of any type, for example, using the CLI API, Java™ API, tools (scripts), SOAP, REST, Discovery Management Console, or Data Management Portal. The lockout feature applies to integrations that use the TADDM API, but it does not apply to logins using single sign-on, or database-based integrations, for example Tivoli® Common Reporting.

A TADDM server administrator can clear a local or a global lockout by using the $COLLATION_HOME/bin/lockmgr.sh script. You can run the script from the following servers:
  • Domain server, in a domain server deployment
  • Synchronization server, in a synchronization server deployment
  • Primary storage server, in a streaming server deployment
You can run the lockmgr.sh script with the following options:
lockmgr.sh -s
Displays the lockout status.
lockmgr.sh -g
Clears an active global lockout.
lockmgr.sh -u username
Clears an active local lockout for a particular user.
lockmgr.sh -h
Displays help information for the lockmgr.sh script.