HPE Community
Operating System - HP-UX
1832746 Members
3415 Online
110044 Solutions
New Discussion

Enabling trusted mode in SAP production server.

 
Mahamudul Hassan
Frequent Advisor

‎10-03-2009 08:25 PM

‎10-03-2009 08:25 PM

Enabling trusted mode in SAP production server.

HI All,
We want to enable trusted mode in our SAP production Server But initially we will not configure any security rule for one week after enabling trusted mode.

1.If we enable trusted mode will all existing users has same user name, password, privilege as before.
2.What pre questioners measure should we take before enabling trusted mode and create specific security rules.( example: password aging, minimum password length, password expiration etc.

Please reply soon.
Thanks
0 Kudos
Reply
1 REPLY 1
Matti_Kurkela
Honored Contributor

‎10-04-2009 05:01 AM

‎10-04-2009 05:01 AM

Re: Enabling trusted mode in SAP production server.

1.) Yes. Usernames, passwords and group assignments will not change.

2.) Instruct your users that if they have used a password longer than 8 characters and the password seems not to work after the change, the user must type only the first 8 characters of the password.

This is because the traditional non-trusted mode only stores the first 8 characters of the password and ignores the rest. The trusted mode can store longer passwords, and therefore it does not ignore the extra characters.

The longer password can be made to work again by changing the password once the system has been converted to trusted mode.

The recommended way to change to trusted mode is to use SAM. If you use the "tsconvert" command, you may experience that all user accounts will become expired. To avoid that, you can use "modprpw -V" to un-expire all accounts.

Remember to set the maximum password length to something more than the default 8 characters right after switching to trusted mode.

General password policy tips:

If you set up strict requirements for the password quality (= long and complex passwords) and require the users to change them often, the users will not bother to memorize the passwords. You get the "the high-quality password of the week is on the sticky note on the edge of the monitor" phenomenon, which can be much worse security than having passwords with average quality that are stored only within the heads of the users.

If you need to create user accounts for consultants or other temp workers, set their account lifetime so that the account will automatically disable itself after user's project or work term is over. This protects your security in case you forget to disable the account manually.

MK
MK
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.