DM database password policy and login restriction settings

In the user security of database , Password complexity policy and resource restriction are an important part of user security . stay DM In the database , Password strategy is divided into system password strategy and user password strategy . Only the secure version supports setting password policy for each user （ Use the household registration policy ）, Non secure version , Only the system password policy is supported .

DM The database provides users IP Address and login time limit function , This chapter is an introduction. DM Database system password policy settings and user login restriction settings .

System password policy

When creating users in the database , You need to specify the password of the user , The complexity of the password is required by the password policy of the system PWD_POLICY Parameter determination . The password policies supported by the system include ：

0 No strategy

1 It is forbidden to be the same as the user name

2 The password length is not less than 9

4 Contains at least one capital letter （A-Z）

8 Include at least one number （0-9）

16 Include at least one punctuation mark （ In English input mode , except ” And all the symbols outside the space ）

Password policy can be applied separately , It can also be used in combination . For example, we require that the user name and password be prohibited from being the same , It also requires that the password contain at least one capital letter , Set the password policy to 1+4=5 that will do .

Use the following statement to query the password policy information of the system ：

SQL>select * where PARA_NAME = 'PWD_POLICY';

The query results are as follows , You can see , The default password parameter is 2.

It can be seen that PWD_POLICY Parameters are dynamic parameters , We can do that by using DM Console tools or call system procedures SP_SET_PARA_VALUE To reset PWD_POLICY Value .

Use DM Console tools

stay DM The installation directory tool Next use DM Install user execution ./console, You can open DM Console tools , Find in the safety related parameters PWD_POLICY Parameter options （ You can also directly enter PWD_POLICY Parameters ）, You can modify PWD_POLICY The value of the parameter , As shown in the figure below .

It should be noted that ,DM Console tools are offline tools , Modify the parameter value by modifying dm.ini File to achieve , Whether the parameter type is static or dynamic , Both need to be rebooted DM The server can make the newly set parameter value take effect .

Use the system process

DM The modification of console tool parameters requires restarting the database to take effect , It is very inconvenient for the production environment , We can use system processes SP_SET_PARA_VALUE To configure the PWD_POLICY Parameter values . for example , take PWD_POLICY Set as 15（1+2+4+8）, because PWD_POLICY Is a dynamic parameter , We can modify file and memory parameters at the same time , At this time, the new parameter value takes effect immediately after setting . Execute the following function to modify the parameters ：

SQL>SP_SET_PARA_VALUE(1, 'PWD_POLICY', 15);

After the modification is completed , Query system parameters , You can see PWD_POLICY Has been modified .

here , We build new testuser user , Specify the password as dameng123, The system will prompt that the password does not conform to the complexity rules . Change the password to Dameng123（ At this point in time 15 The rules of ）, Prompt to create successfully . Let's check DBA_USERS View , You can see the new user TESTUSER The corresponding password policy is 15, and SYSSSO、SYSDBA、SYS、SYSAUDITOR The password policy of the system user is 0, The password policy of other ordinary users uses the original password policy 2（ Password policy of the system when creating users ）.

It can be seen that , The system password policy is only valid for newly created users , The original created user still uses the original system password policy .

Suppose we want to change the password policy of the user , Non secure versions are not supported , Only the secure version supports . The display error of non safe version is shown in the following figure .

Resource constraints

DM The database provides user resource restrictions 、IP Address limit and user time limit function .

We use the following command to limit testuser User login , When the user fails to log in continuously 10 It will be locked after times , Restrict their login IP by 192.168.88.* Of IP The Internet , Login time is limited to Monday morning 8：00 Until Thursday afternoon 17：30.

SQL>alter USER testuser LIMIT FAILED_LOGIN_ATTEMPS 10 ALLOW_IP "192.168.88.*" ALLOW_DATETIME "MON" "8:30:00" TO "THURS" "17:30:00";

After successful execution , Inquire about sysusers Digital dictionary can see testuser Has limited IP And time period .

Use testuser The user login , The prompt is invalid IP. The implementation is as follows SQL modify IP Limit increase 127.0.0.1, Again using testuser Sign in , Prompt error ： Log in for a limited period of time .

SQL>alter user testuser ALLOW_IP "192.168.88.*","127.0.0.1";

Because the current system time is Friday , It is no longer within the allowed login period , We execute the following command to modify the allowed login time to Monday 8：00 By Friday 17：30.

SQL>alter user testuser ALLOW_DATETIME "MON" "8:30:00" TO "FRI" "17:30:00";

Again using testuser Sign in , Show login success .

summary ：

1. The system password policy is only valid for newly created users , Old users still use the original password strategy .

2. The Security version can specify and modify the password policy of users , The non secure version cannot specify the password policy of a user .

3. DM The database is open to users IP Limit 、 Time limit function , It ensures the login security of users more .