Compliance settings
The Compliance module provides various settings designed to meet regulatory compliance requirements, particularly those pertaining to PASSWORD SETTINGS, USERNAME, and FIPS.
To configure password requirements, navigate to the SECURITY > Compliance module. The Compliance tab is active by default.
Below is a description of the compliance fields. Select any setting you wish to enable, and if required, specify a value.
Minimum password length of X characters — Identifies the minimum password length.
Minimum password age of X hours — Identifies the minimum number of hours that must go by before a password can be changed. Administrators can change passwords regardless of this setting.
Maximum password age of X days — Identifies the maximum number of days that a password is valid before it must be changed. This option can be overridden at the User-level by enabling the Ignore password aging rules option.
Email password change reminder X days before expiration — Emails a password change reminder to the email address associated with User the specified number of days before the password reaches its maximum password age. To work as expected, an SMTP server must be configured under Settings > MISCELLANEOUS > Email in MFT Server Admin UI.
Password must not match previous X passwords — Identifies the number of previous passwords that cannot match the new password.
Require password reset on first time log in — Requires a new User resets their password the first time they log in.
PASSWORD REQUIRED CHARACTERS
Uppercase — If selected, an uppercase character must be included in the password.
Lowercase — If selected, a lowercase character must be included in the password.
Numeric — If selected, a numeric value (0-9) must be included in the password.
Non alpha-numeric — If selected, a special character (e.g., %, #, !) must be included in the password.
Deny login for password non-compliance — If enabled, the password is verified at the time of log in, to check that it meets compliance requirements. If it matches the User password, but does not meet compliance requirements, access is denied.
Enter a regular expression to enforce user name requirements
Regular Expression — If selected, enter a regular expression that specifies the pattern that must be used when a new User is created.
Click on the FIPS tab in SECURITY > Compliance
FIPS compliance — This option is ideal for environments that must comply with regulations that require strong cryptography. Many of these regulations only allow cryptographic algorithms recommended by duly recognized standards such as the Federal Information Processing Standards (FIPS). If switched ON, administrators cannot change allowed ciphers.
Prerequisites for using the FIPS compliance setting
Follow the instructions below if you wish to enable FIPS compliance.
-
The Bouncy Castle libraries (JAR files that begin with
bc*) stored in MFT Server Installation 'libs' directory must be replaced with the libraries located in the 'fips' directory. Create backups of the originalbc*files in case you need them in the future. Once the files have been replaced, MFT Server must be restarted for the changes to take effect. -
Some headless environments (namely Linux, CentOS, and Ubuntu) may experience a slow start-up time due to entropy issues when using FIPS libraries. This is why FIPS-related libraries are placed in a separate directory, rather than including them in the default "
libs" directory. A work-around for this issue is to install haveged to ensure that the entropy pool is populated faster in headless environments. (See Installing haveged).