chsecurity

Use the chsecurity command to change the security settings for a system.

Syntax

Read syntax diagramSkip visual syntax diagram chsecurity -sslprotocolsecurity_level-sshprotocolsecurity_level-guitimeoutgui_timeout_mins-clitimeoutcli_timeout_mins-minpasswordlengthmin_password_length-passwordspecialcharspassword_special_chars-passworduppercasepassword_upper_case-passwordlowercasepassword_lower_case-passworddigitspassword_digits-checkpasswordhistoryyesno-maxpasswordhistorymax_password_history-minpasswordagemin_password_age_days-passwordexpirypassword_expiry_days-expirywarningexpiry_warning_days-superuserlockingenabledisable-maxfailedloginsmax_failed_login_attempts-lockoutperiodlockout_period_mins-resetpolicy-restapitimeouttimeout_mins-superusermultifactoryesno-sshmaxtries (1-10)-sshgracetime (15-1800)-superuserpasswordkeyrequiredyesno-disablesuperuserguiyesno-disablesuperuserrestyesno-disablesuperusercimyesno-twopersonintegrityyesno-resetsslprotocol-resetsshprotocol

Parameters

-sslprotocol security_level
(Optional) Specifies the numeric value for the SSL security level setting, which can take any value from 2 to 7. A setting of 5 is the default value.
Use these sslprotocol security level settings:
  • 2 - Allows TLS 1.2, but disallows TLS 1.0 and TLS 1.1.
  • 3 - Additionally disallows TLS 1.2 cipher suites that are not exclusive to 1.2.
  • 4 - Additionally disallows RSA key exchange ciphers and static key exchange ciphers.
  • 5 (Compatibility mode) - Initially allows TLS 1.3, which is the preferred method of connection. If TLS 1.3 fails, TLS 1.2 is used for connections.
  • 6 - Allows TLS 1.3 and the five ciphers of TLS 1.3.
  • 7 - Allows TLS 1.3 and a single FIPS cipher.

Changing the SSL security level might disable the GUI connection on older web browsers. If connection is lost, use the CLI prompt to change the security level back to a known good level.

-sshprotocol security_level
(Optional) Specifies the numeric value for the SSH security level setting, which can take a value of 1 to 4. A setting of 3 is the default value.
Use these sshprotocol security level settings.
  • 1 Allows the following key exchange methods:
    • curve25519-sha256
    • curve25519-sha256@libssh.org
    • ecdh-sha2-nistp256
    • ecdh-sha2-nistp384
    • ecdh-sha2-nistp521
    • diffie-hellman-group-exchange-sha256
    • diffie-hellman-group16-sha512
    • diffie-hellman-group18-sha512
    • diffie-hellman-group14-sha256
    • diffie-hellman-group14-sha1
    • diffie-hellman-group1-sha1
    • diffie-hellman-group-exchange-sha1
  • 2 Allows the following key exchange methods:
    • curve25519-sha256
    • curve25519-sha256@libssh.org
    • ecdh-sha2-nistp256
    • ecdh-sha2-nistp384
    • ecdh-sha2-nistp521
    • diffie-hellman-group-exchange-sha256
    • diffie-hellman-group16-sha512
    • diffie-hellman-group18-sha512
    • diffie-hellman-group14-sha256
    • diffie-hellman-group14-sha1
  • 3 Allows the following key exchange methods:
    • curve25519-sha256
    • curve25519-sha256@libssh.org
    • ecdh-sha2-nistp256
    • ecdh-sha2-nistp384
    • ecdh-sha2-nistp521
    • diffie-hellman-group-exchange-sha256
    • diffie-hellman-group16-sha512
    • diffie-hellman-group18-sha512
    • diffie-hellman-group14-sha256
  • 4 Allows the following key exchange methods:
    • curve25519-sha256
    • curve25519-sha256@libssh.org
    • ecdh-sha2-nistp256
    • ecdh-sha2-nistp384
    • ecdh-sha2-nistp521
    Restriction: The 3-site-orchestrator does not support SSH protocol level 4.
-guitimeout gui_timeout_mins
(Optional) Specifies the amount of time (in minutes) before a session expires and the user is logged out of the GUI for inactivity. The value must be an integer in the range 5 - 240.
-clitimeout cli_timeout_mins
(Optional) Specifies the amount of time (in minutes) before a session expires and the user is logged out of the CLI for inactivity. The value must be an integer in the range 5 - 240.
-minpasswordlength min_password_length
(Optional) Specifies the minimum length requirement for user account passwords on the system. The value must be an integer in the range 6 - 64.
-passwordspecialchars password_special_chars
(Optional) Specifies how many special characters are required in passwords for local users. A value of 0 means that no special characters are required. The value must be an integer in the range 0 - 3.
-passworduppercase password_upper_case
(Optional) Specifies how many uppercase characters are required in passwords for local users. A value of 0 means that no uppercase characters are required. The value must be an integer in the range 0 - 3.
-passwordlowercase password_lower_case
(Optional) Specifies how many lowercase characters are required in passwords for local users. A value of 0 means that no lowercase characters are required. The value must be an integer in the range 0 - 3.
-passworddigits password_digits
(Optional) Specifies how many digits are required in passwords for local users. A value of 0 means that no numbers are required. The value must be an integer in the range 0 - 3.
-checkpasswordhistory yes | no
(Optional) Specifies whether the system prevents the user from reusing a previous password. The value is either yes or no. This parameter is not supported on FlashSystem 5015, FlashSystem 5035 and FlashSystem 5045.
-maxpasswordhistory max_password_history
(Optional) Specifies the number of previous passwords to compare with if checkpasswordhistory is enabled. A value of 0 means that the new password is compared with the current password only. The value must be an integer in the range 0 - 10.
-minpasswordage min_password_age_days
(Optional) Specifies the minimum number of days between password changes. This setting is enforced if checkpasswordhistory is enabled. This restriction is ignored if the password is expired. The setting does nothing if the value is greater than the passwordexpiry value. The value must be an integer in the range 0 - 365.
-passwordexpiry password_expiry_days
(Optional) Specifies the number of days before a password expires. A value of 0 means that the feature is disabled and passwords do not expire. The value must be an integer in the range 0 - 365.
-expirywarning expiry_warning_days
(Optional) Specifies how many days before a password expires to raise a warning. The warning is displayed on every CLI login until the password is changed. A value of 0 means that the feature is disabled and warnings are not displayed. The value must be an integer in the range 0 - 30.
-superuserlocking enable | disable
(Optional) Specifies whether the locking policy that is configured on the system also applies to the superuser. The value is either enable or disable. This parameter is only supported on systems with a dedicated technician port.
-maxfailedlogins max_failed_login_attempts
(Optional) Specifies the number of failed login attempts before the user account is locked for the amount of time that is specified in lockoutperiod. A value of 0 means that the feature is disabled and accounts are not locked out after failed login attempts. The value must be an integer in the range 0 - 10.
-lockoutperiod lockout_period_mins
(Optional) Specifies the number of minutes that a user is locked out for if the max failed logins value is reached. A value of 0 implies the user is indefinitely locked out when the max failed login attempts are reached. The value must be an integer in the range 0 - 10080.
-resetpolicy
(Optional) Resets all security settings to their default values. A yes / no warning prompt is displayed to confirm the action. This parameter cannot be run with any other parameters.
-restapitimeout
(Optional) Specifies the amount of time (in minutes) before a token expires. The value is in the range 10 - 120.
-superusermultifactor yes | no
(Optional) Specifies whether the superuser should be prompted for multifactor authentication. The value is either yes or no.
-sshmaxtries
(Optional) Specifies the amount of allowed login attempts per a single SSH connection. The value is in the range 1 - 10.
-sshgracetime
(Optional) Specifies the duration of time a user must enter login factors per SSH connection before the connection is terminated. The value is number of seconds in the range 15 - 1800.
-superuserpasswordkeyrequired
(Optional) Specifies whether the superuser must be expected to provide both a password and SSH key for authentication. The value is either yes or no.
-disablesuperusergui
(Optional) Specifies whether GUI access must be disabled for the superuser. The value is either yes or no.
-disablesuperuserrest
(Optional) Specifies whether REST API access must be disabled for the superuser. The value is either yes or no.
-disablesuperusercim
(Optional) Specifies whether CIMOM access must be disabled for the superuser. The value is either yes or no.
-twopersonintegrity
(Optional) Specifies whether two person integrity (TPI) is enabled or disabled. The value is either yes or no.
-resetsslprotocol

(Optional) Resets the SSL protocol security level to the default value 5 and configures the system to automatically follow the suggested level.

-resetsshprotocol

(Optional) Resets the SSH protocol security level to default value 3 and configures the system to automatically follow the suggested level.

Description

This command changes the security settings on a system.
Important: If you use SSL or TLS, changing the security level might disrupt these services.
Use this procedure if disruption occurs.
  1. Wait 5 minutes and try again. (Wait for any services to restart.)
  2. Confirm that the SSL or TLS implementation is up to date and supports the specified level of security.
  3. If necessary, revert to an earlier version of SSL or TLS security.
Note:
  • When you enable two person integrity, superuser_locking is also enabled. You can't use the chsecurity -superuserlocking command to disable it.
  • You must have the Security Administrator role to configure security settings with the chsecurity command. On a system where TPI is enabled, any changes that can be made with the chsecurity command require an approved role elevation.

An invocation example

chsecurity -superusermultifactor yes

The resulting output

Changing the system security settings could result in a loss of access to the system via SSH or the management GUI. Refer to the Command Line Interface help for more information about the risks associated with each parameter.
Are you sure you wish to continue? (y/yes to confirm) y

An invocation example

lsservicestatus | grep superuser

The resulting output

superuser_locked no
superuser_multi_factor yes
superuser_password_sshkey_required no
superuser_gui_disabled no
superuser_rest_disabled no
superuser_cim_disabled no

An invocation example

chsecurity -sshgracetime 900

The resulting output

Changing the system security settings could result in a loss of access to the system via SSH or the management GUI. Refer to the Command Line Interface help for more information about the risks associated with each parameter.
 Are you sure you wish to continue? (y/yes to confirm) y

An invocation example

lssecurity | grep grace

The resulting output

ssh_grace_time_seconds 900

An invocation example

chsecurity -sshmaxtries 3

The resulting output

No feedback.

An invocation example

lssecurity | grep max_tries

The resulting output

ssh_max_tries 3

An invocation example

chsecurity -superuserpasswordkeyrequired yes

The resulting output

Changing the system security settings could result in a loss of access to the system via SSH or the management GUI. Refer to the Command Line Interface help for more information about the risks associated with each parameter.
 Are you sure you wish to continue? (y/yes to confirm)  y

An invocation example

lsservicestatus | grep superuser

The resulting output

superuser_locked no
superuser_multi_factor no
superuser_password_sshkey_required yes
superuser_gui_disabled no
superuser_rest_disabled no
superuser_cim_disabled no

An invocation example

chsecurity -disablesuperuserrest yes

The resulting output

Changing the system security settings could result in a loss of access to the system via SSH or the management GUI. Refer to the Command Line Interface help for more information about the risks associated with each parameter.
 Are you sure you wish to continue? (y/yes to confirm)  y

An invocation example

svctask chsecurity -disablesuperusercim

The resulting output

No feedback.

An invocation example

lsservicestatus | grep superuser

The resulting output

superuser_locked no
superuser_multi_factor no
superuser_password_sshkey_required no
superuser_gui_disabled no
superuser_rest_disabled yes
superuser_cim_disabled yes

An invocation example

chsecurity -sslprotocol 4

The resulting output

Changing the system security settings could result in a loss of access to the system via SSH or the management GUI.
 Refer to the Command Line Interface help for more information about the risks associated with each parameter. Are you sure you wish to continue? (y/yes to confirm)

An invocation example

chsecurity -sslprotocol 5

The resulting output

Changing the system security settings could result in a loss of access to the system via SSH or the management GUI. 
Refer to the Command Line Interface help for more information about the risks associated with each parameter. Are you sure you wish to continue? (y/yes to confirm)

An invocation example

chsecurity -sshprotocol 2

The resulting output

Changing the system security settings could result in a loss of access to the system via SSH or the management GUI.
 Refer to the Command Line Interface help for more information about the risks associated with each parameter. Are you sure you wish to continue? (y/yes to confirm)

Invocation examples

chsecurity -minpasswordlength 12
No feedback.


chsecurity -guitimeout 60
No feedback.


chsecurity -clitimeout 60
No feedback.


chsecurity -superuserlocking enable
Changing the system security settings could result in a loss of access to the system via SSH or the management GUI. Refer to the Command Line Interface help for more information about the risks associated with each parameter. Are you sure you wish to continue? (y/yes to confirm)


chsecurity -maxfailedlogins 4
No feedback.


chsecurity -lockoutperiod 60
No feedback.

chsecurity -lockoutperiod 0
No feedback.

chsecurity -passwordexpiry 90
No feedback.

chsecurity -passwordexpiry 60 -expirywarning 14
No feedback.

chsecurity -checkpasswordhistory yes
No feedback.

chsecurity -maxpasswordhistory 3
No feedback.

chsecurity -minpasswordage 1
No feedback.



svctask chsecurity -passwordspecialchars 0
No feedback.

svctask chsecurity -passworddigits 1
No feedback.

svctask chsecurity -passwordlowercase 2
No feedback.

svctask chsecurity -passworduppercase 3
No feedback.



chsecurity -resetpolicy
Changing the system security settings could result in a loss of access to the system via SSH or the management GUI. Refer to the Command Line Interface help for more information about the risks associated with each parameter. Are you sure you wish to continue? (y/yes to confirm)

An invocation example

Enabling TPI on the system:

svctask chsecurity -twopersonintegrity yes

The resulting output

No feedback.

An invocation example

Disabling TPI on the system:

svctask chsecurity -twopersonintegrity no

The resulting output

No feedback.

An invocation example

svctask chsecurity -resetsslprotocol

The resulting output

No feedback.

An invocation example

svctask chsecurity -resetsshprotocol

The resulting output

No feedback.