CA API Gateway 9.1

9.4 9.1

Troubleshooting Password Issues

This topic describes how to unlock, reset, or change the passwords for an account on your gateway. It also describes the password rules enforced for the ssgconfig and root accounts.
gateway83
This topic describes how to unlock, reset, or change the passwords for an account on your
CA API Gateway
. It also describes the password rules enforced for the
ssgconfig
 and
root
 accounts.
This topic applies only to Appliance Gateways.
To maintain the security of your
API Gateway
 appliance, stringent password rules are enforced for the
ssgconfig
 and
root
 user accounts.
The stringent rules apply only to the 
ssgconfig
 and 
root
 user accounts. Other passwords used by the Gateway are not affected and will not be locked out after unsuccessful attempts.
Password Rules
You are required to change the password for the
ssgconfig
 and
root
 accounts upon first use and every 60 days thereafter. The new password must adhere to the following rules:
  • Minimum 9 characters in length
  • Contains at least two upper and two lowercase characters
  • Contains at least two digits
  • Contains at least two special characters
The new password must not be a repeat of any of the five most recent passwords and at least 24 hours must have elapsed since the last password change.
 
WARNING:
 The Gateway automatically locks the 
ssgconfig
 or 
root
 account after five unsuccessful login attempts. To restore 
ssgconfig
 access, see 
Unlocking the SSGCONFIG Account
 below. A locked 
root
 account will be unlocked automatically after 20 minutes. For instructions on restoring a locked 
root
 account immediately, see this article on the CA Support site: Managing the Gateway appliance privileged (root) account
.
 
Unlocking the SSGCONFIG Account
Re-enabling the
ssgconfig
 account requires physical access to the Gateway appliance and knowledge of the root password.
To unlock the ssgconfig account:
  1. At the console, log in as the
    root
     user.
  2. Type the following command at the command prompt:
    # pam_tally2 --user ssgconfig --reset
You may now log in using the
ssgconfig
 account. Note that lockout will again occur after five unsuccessful attempts.
Changing the SSGCONFIG Password
Changing the
ssgconfig
 password requires physical access to the Gateway appliance and knowledge of the root password. You cannot change the password for an 
ssgconfig
 account that is currently locked.
To change the ssgconfig password:
  1. At the console, log in as the
    root
     user.
  2. Type the following command at the command prompt:
    # passwd ssgconfig
Follow the prompts on the screen to change the password. The new password must conform to the “Password Rules” listed above.
Resetting the Administrative Password
This section describes how to reset the administrative password for the initial Policy Manager administrator account.
This only works for the administrative user that was created initially when the Gateway was configured. It is not intended to be used as a general-purpose password manipulation application (you can use the Gateway REST API for this—see REST Management API).
To reset the administrative password:
  1. Access the Gateway main menu for your form factor: appliance or software.
  2. Access the password reset option as follows:
    • For Appliance Gateways, select option
      2
       (Display CA API Gateway configuration menu) and then option
      8
       (Reset Admin password).
    • For Software Gateways, selection option
      6
       (Reset Admin password).
  3. Enter the administrative user name.
  4. Enter the new administrative user password. The password is reset.

Content feedback and comments