Upgrade And Downgrade Considerations For Password Management; Account Lockout Policy - HP A7533A - Brocade 4Gb SAN Switch Base Administrator's Manual

expiration during which warnings will commence. Password expiration does not disable or lock out the
account.
Use the following attributes to set the password expiration policy:
• MinPasswordAge
Specifies the minimum number of days that must elapse before a user can change a password.
MinPasswordAge values range from 0 to 999. The default value is zero. Setting this parameter to a
non-zero value discourages users from rapidly changing a password in order to circumvent the
password history setting to select a recently-used password. The MinPasswordAge policy is not
enforced when an administrator changes the password for another user.
• MaxPasswordAge
Specifies the maximum number of days that can elapse before a password must be changed, and is
also known as the password expiration period. MaxPasswordAge values in range from 0 to 999. The
default value is 0. Setting this parameter to zero disables password expiration.
• Warning
Specifies the number of days prior to password expiration that a warning about password expiration is
displayed. Warning values range from 0 to 999. The default value is 0 days.
NOTE:
be set to a value that is less than or equal to MaxPasswordAge.

Upgrade and downgrade considerations for password management

If you are upgrading from a 5.3.x environment to 6.0.0 or later, the existing password databases do not
contain the state information that implements password expiration. So, when the password expiration
policy is first set after an upgrade to 6.0.0 or later, any users who have not changed their password will
have their password expiration period set to the maximum password expiration period. You must explicitly
define the password expiration for users who have not performed a password change subsequent to the
upgrade.
IMPORTANT:
upgrade to 6.0.0, then to 6.1.0, and then to 6.2.0.
For example:
• March 1st—Using Fabric OS 5.3.x release. User A changes her password.
• April 1—Upgrade to 6.0.0 (or later).
May 1—User B changes his password.
•
• June 1—The password configuration parameter MaxPasswordAge is set to 90 days.
User A's password will expire on September 1. User B's password will expire on August 1.

Account lockout policy

The account lockout policy disables a user account when that user exceeds a specified number of failed
login attempts. The policy is enforced across all user accounts. You can configure this policy to keep the
account locked until explicit administrative action is taken to unlock it, or the locked account can be
automatically unlocked after a specified period. Administrators can unlock a locked account at any time.
A failed login attempt counter is maintained for each user on each switch instance. The counters for all user
accounts are reset to zero when the account lockout policy is enabled. The counter for an individual
account is reset to zero when the account is unlocked after a LockoutDuration period expires.
The admin account can also have the lockout policy enabled on it. The admin account lockout policy is
disabled by default and uses the same lockout threshold as the other roles. It can be automatically
unlocked after the lockout duration passes or when it is manually unlocked by either a user account that
has a securityAdmin or other Admin role.
When MaxPasswordAge is set to a non-zero value, MinPasswordAge and Warning must
You cannot upgrade your switch from Fabric OS 5.3.0 directly to 6.2.0. You first have to
Fabric OS 6.2 administrator guide 77