Adobe Experience Manager Sites & More

Deepaks007 · 8/2/16

Hi,

below questioned raised by the security audit team. We are using CQ 5.6.1. Is there any way to configure and define the password policy.

Password length should be minimum 8 characters.
Password complexity should be in place.
Last 5 passwords should not be used.
Password age should be 45 days.
User ids to be locked after 5 unsuccessful login attempts. Also, user should be auto logged off if there is no activity in certain time frame that should be configurable
In case of new password allocation, administrator should provide temporary password to user and send confirmation mail after password allocation.
Forced password change on first login.

Regards,

Deepak

Deepaks007 · 8/3/16

Hey manage to do it myself its pretty easy.

1. Go to Config manager search for "DAY CQSE HTTP Service" , default session timeout is 10 mins, you can changes as per the requirement.

Hope this will help others

View solution in original post

Jitendra_S_Toma · 8/2/16

Deepak,

What do you mean by configuration?. These are the simple text messages for the end user. And, can be put using RTE. Now, whether the user follows these instructions or not is part of the validation and validation (server side/client side) would render these messages.

If there is a case where you don't want an author to put same text multiple places then move it to some admin pages and read that common content. By this way, it seems you need to do some extra work.

Regards,

Jitendra

Deepaks007 · 8/2/16

Hi Jitendra,

I am talking about ACL (User management) when you create an user there is no option to set the password policy for the user to login.

Regards,

Deepak

Tuhin_Ghosh · 8/2/16

Hi Deepak,

Please find the below article, this might be helpful for getting you started. After that you can amend as required.

http://experience-aem.blogspot.com.au/2015/09/aem-61-classic-ui-implementing-simple-password-policy....

Deepaks007 · 8/2/16

Thanks for your response. I am using cq5.6.1. do you have any reference
?

Also would like to change user inactive timeout. if user is ideal for 5 mins then system should log him out.

Tuhin_Ghosh · 8/3/16

Though this is AEM 6.1 but this is for classic UI so this should work also for 5.6.1. Kindly try to implement and see if this works for you.

Deepaks007 · 8/3/16

Thanks I will check this option.

Would like to change user inactive timeout. if user is ideal for 5 mins then system should log him out. How can we achieve this

kautuk_sahni · 8/3/16

Hi

Answering your first question,

Validation can be achieve by implementing custom validation using JavaScript.

As it is done in link mentioned by Tuhin :- http://experience-aem.blogspot.in/2015/09/aem-61-classic-ui-implementing-simple-password-policy.html

Second question on Timeout:- You can achive this with session timeout.

Link:- http://aemfaq.blogspot.in/2014/10/how-to-set-timeout-for-login-token.html

//

AEM 5.6.1 or below follow https://forums.adobe.com/thread/1035785
AEM 6+ configure tokenExpiration at http://<host>:<port>/system/console/configMgr/org.apache.jackrabbit.oak.security.authentication.toke...
Also make sure to set Token Length otherwise will throw exception "org.eclipse.jetty.servlet.ServletHandler / java.lang.IllegalArgumentException: Invalid token ''"
More details on AEM6+ refer http://jackrabbit.apache.org/oak/docs/security/authentication/tokenmanagement.html

Link:- http://www.tothenew.com/blog/setting-the-timeout-interval-of-a-httpsession/

Thanks and Regards

Kautuk Sahni

Deepaks007 · 8/3/16

Hey manage to do it myself its pretty easy.

1. Go to Config manager search for "DAY CQSE HTTP Service" , default session timeout is 10 mins, you can changes as per the requirement.

Hope this will help others

Adobe Experience Manager Sites & More

Password policy

Kautuk Sahni

Learn

Documentation

Community

Support

Resources

Adobe account

Adobe