accseccfg command

This command displays and configures account security settings for the advanced management module.

Table 1. accseccfg command
Function What it does Command Valid targets
Display account security settings Displays the user account security settings for the advanced management module. Returned values:
  • Default security settings used (legacy, high, or custom)
  • -am: user authentication method (local, ldap, localldap, or ldaplocal)
  • -alt: authentication logging timeout (in seconds)
  • -cp: complex password (on, off)
  • -ct: CLI inactivity session timeout (in seconds)
  • -dc: minimum different characters in the password (when -cp is enabled)
  • -de: default administration password expiration (on, off)
  • -ia: account inactivity alert time period (in days)
  • -ici: log new login events from same user (on, off)
  • -id: account inactivity disable time period (in days)
  • -lf: maximum login failures
  • -lp: lockout period after maximum login failures (in minutes)
  • -mls: maximum simultaneous user sessions
  • -pc: password change on first access (on, off)
  • -pe: password expiration time period (in days)
  • -pi: minimum password change interval (in hours)
  • -pr: password required (on, off)
  • -rc: password reuse cycle
  • -wt: web inactivity session timeout (in minutes, none, or based on length of user session)
 accseccfg 
                           -T system:mm[x]

where x is the primary management-module bay number.
Set account defaults to legacy level Sets management-module account security to a predefined legacy set of default values. Legacy default values:
  • -alt: retains set value
  • -am: retains set value
  • -cp: off
  • -ct: retains set value
  • -dc: 0
  • -de: off
  • -ia: 0
  • -ici: retains set value
  • -id: 0
  • -lf: 5
  • -lp: 2
  • -mls: retains set value
  • -pc: off
  • -pe: 0
  • -pi: 0
  • -pr: off
  • -rc: 0
  • -wt: retains set value
Note:
  • The user who is running the accseccfg -legacy command must have a password assigned.
  • The -legacy option must be run alone and not in conjunction with any other accseccfg command options.
 accseccfg -legacy
This command can only be run by users who have one or more of the following command authorities:
  • Supervisor
  • Chassis configuration
See Commands and user authority for additional information.
 
                           -T system:mm[x]

where x is the primary management-module bay number.
Set account defaults to high level Sets management-module account security to a predefined high set of default values. High default values are:
  • -am: retains set value
  • -cp: on
  • -ct: retains set value
  • -dc: 2
  • -de: on
  • -ia: 120
  • -id: 180
  • -lf: 5
  • -lp: 60
  • -pc: on
  • -pe: 90
  • -pi: 24
  • -pr: on
  • -rc: 5
  • -wt: retains set value
Note:
  • The user who is running the accseccfg -high command must have a password assigned.
  • The -high option must be run alone and not in conjunction with any other accseccfg command options.
 accseccfg -high
This command can only be run by users who have one or more of the following command authorities:
  • Supervisor
  • Chassis configuration
See Commands and user authority for additional information.
 
                           -T system:mm[x]

where x is the primary management-module bay number.
Set authentication logging timeout Sets a custom value for the amount of time that the management module will not log repeated logins by the same user. accseccfg -alt timeout

where timeout is 0, 5, 30, 60, 300, 600, 1800, 3600, 43200, or 86400 seconds. If a value of none is entered, login logging is disabled.

This command can only be run by users who have one or more of the following command authorities:
  • Supervisor
  • Chassis configuration
See Commands and user authority for additional information.
 
                           -T system:mm[x]

where x is the primary management-module bay number.
Set user authentication method Sets a custom value for management module user authentication method. accseccfg -am method
where method is
  • local
  • ldap
  • localldap
  • ldaplocal
This command can only be run by users who have one or more of the following command authorities:
  • Supervisor
  • Chassis configuration
See Commands and user authority for additional information.
 
                           -T system:mm[x]

where x is the primary management-module bay number.
Enable / disable complex password Enables or disables the complex password for management-module user authentication.
Note: Enabling the complex password also turns on the password required (-pr) command option.
 accseccfg -cp state

where state is on or off.

This command can only be run by users who have one or more of the following command authorities:
  • Supervisor
  • Chassis configuration
See Commands and user authority for additional information.
 
                           -T system:mm[x]

where x is the primary management-module bay number.
Set CLI inactivity timeout Sets the custom value for management-module CLI inactivity session timeout. accseccfg -ct timeout

where timeout is from 0 to 4,294,967,295 seconds, inclusive.

This command can only be run by users who have the following command authorities:
  • Supervisor
  • Chassis configuration
See Commands and user authority for additional information.
 
                           -T system:mm[x]

where x is the primary management-module bay number.
Set minimum number of different characters for password Sets custom value for the minimum number of different characters to be used in a management-module password.
Note: The minimum number of different characters applies only when complex passwords are enabled.
 accseccfg -dc number

where number is from 0 to 15, inclusive.

This command can only be run by users who have one or more of the following command authorities:
  • Supervisor
  • Chassis configuration
See Commands and user authority for additional information.
 
                           -T system:mm[x]

where x is the primary management-module bay number.
Enable / disable default administration password expiration Enables or disables the default administration password expiration for the management module. accseccfg -de state

where state is on or off.

This command can only be run by users who have one or more of the following command authorities:
  • Supervisor
  • Chassis configuration
See Commands and user authority for additional information.
 
                           -T system:mm[x]

where x is the primary management-module bay number.
Set account inactivity alert time Sets custom value for management module account inactivity alert time.
Note: The accseccfg -ia value must be less than the accseccfg -id value.
 accseccfg -ia time

where time is from 0 to 365 days, inclusive.

This command can only be run by users who have one or more of the following command authorities:
  • Supervisor
  • Chassis configuration
See Commands and user authority for additional information.
 
                           -T system:mm[x]

where x is the primary management-module bay number.
Set state for logging of login events from same IP address Enables or disables logging of new login events from the same user from the same IP address.
Note:
This value applies only if the value set by the -alt command option is set to something other than 0 or none.		 accseccfg -ici state

where state is on or off.

This command can only be run by users who have one or more of the following command authorities:
  • Supervisor
  • Chassis configuration
See Commands and user authority for additional information.
 
                           -T system:mm[x]

where x is the primary management-module bay number.
Set account inactivity disable time Sets the custom value for management-module account inactivity disable time.
Note: The accseccfg -id value must be greater than the accseccfg -ia value.
 accseccfg -id time

where time is from 0 to 365 days, inclusive.

This command can only be run by users who have one or more of the following command authorities:
  • Supervisor
  • Chassis configuration
See Commands and user authority for additional information.
 
                           -T system:mm[x]

where x is the primary management-module bay number.
Set maximum number of login failures Sets the custom value for the maximum number of login failures before the management module locks out a user. accseccfg -lf number

where number is from 0 to 10, inclusive.

This command can only be run by users who have one or more of the following command authorities:
  • Supervisor
  • Chassis configuration
See Commands and user authority for additional information.
 
                           -T system:mm[x]

where x is the primary management-module bay number.
Set lockout period Sets the custom value for management-module account lockout period, used when the maximum number of login failures is exceeded. accseccfg -lp time

where time is from 0 to 2880 minutes, inclusive.

This command can only be run by users who have one or more of the following command authorities:
  • Supervisor
  • Chassis configuration
See Commands and user authority for additional information.
 
                           -T system:mm[x]

where x is the primary management-module bay number.
Set maximum LDAP sessions for user Sets the custom value for the maximum number of simultaneous login sessions allowed for a single LDAP user accseccfg -mls max_sessions

where max_sessions is from 0 to 20, inclusive.

This command can only be run by users who have the following command authorities:
  • Supervisor
  • Chassis configuration
See Commands and user authority for additional information.
 
                           -T system:mm[x]

where x is the primary management-module bay number.
Enable / disable password change at first login Enables or disables the mandatory password change at first management-module login. accseccfg -pc state

where state is on or off.

This command can only be run by users who have one or more of the following command authorities:
  • Supervisor
  • Chassis configuration
See Commands and user authority for additional information.
 
                           -T system:mm[x]

where x is the primary management-module bay number.
Set password expiration time Sets custom value for the management module password expiration time. accseccfg -pe time

where time is from 0 to 365 days, inclusive.

This command can only be run by users who have one or more of the following command authorities:
  • Supervisor
  • Chassis configuration
See Commands and user authority for additional information.
 
                           -T system:mm[x]

where x is the primary management-module bay number.
Set password minimum change interval Sets custom value for the minimum amount of time between management module password changes. accseccfg -pi time

where time is from 0 to 1440 hours, inclusive, and less than password expiration period when that period is greater than 0.

This command can only be run by users who have the following command authorities:
  • Supervisor
  • Chassis configuration
See Commands and user authority for additional information.
 
                           -T system:mm[x]

where x is the primary management-module bay number.
Enable / disable password required Enables or disables the password required for management module.
Notes:
  • The user that is running the accseccfg -pr command must have a password assigned.
  • Disabling password required also turns off the complex password (-cp) command option.
 accseccfg -pr state

where state is on or off.

This command can only be run by users who have one or more of the following command authorities:
  • Supervisor
  • Chassis configuration
See Commands and user authority for additional information.
 
                           -T system:mm[x]

where x is the primary management-module bay number.
Set password reuse cycle Sets custom value for the management module password reuse cycle. This setting determines how many times a password must be changed before being reused. accseccfg -rc number_reuses

where number_reuses is from 0 to 5, inclusive.

This command can only be run by users who have the following command authorities:
  • Supervisor
  • Chassis configuration
See Commands and user authority for additional information.
 
                           -T system:mm[x]

where x is the primary management-module bay number.
Set web interface inactivity timeout Sets custom value for management module web interface inactivity session timeout. accseccfg -wt timeout

where timeout is 1, 5, 10, 15, or 20 minutes, none (no timeout), or user (user picks timeout each time they log in to the web interface).

This command can only be run by users who have one or more of the following command authorities:
  • Supervisor
  • Chassis configuration
See Commands and user authority for additional information.
 
                           -T system:mm[x]

where x is the primary management-module bay number.

Example:

To disable management-module authentication logging timeout, while management module 1 is set as the persistent command environment, at the system:mm[1]> prompt, type 
                  accseccfg -alt none
To set management-module account security to use the high level defaults, while management module 1 is set as the persistent command environment, at the system:mm[1]> prompt, type 
                  accseccfg -high
To display the account security settings for the management module, while management module 1 is set as the persistent command environment, at the system:mm[1]> prompt, type 
                  accseccfg

The following example shows the information that is returned from these commands:

               system:mm[1]> accseccfg -alt none
OK
system:mm[1]> accseccfg -high
OK
system:mm[1]> accseccfg
-high
-alt 600
-am local
-cp on
-ct 0
-dc 2
-de on
-ia 120
-ici on
-id 180
-lf 5
-lp 60
-mls 5
-pc on
-pe 90
-pi 24
-pr on
-rc 5
-wt user
system:mm[1]>
Parent topic: Command syntax