Skip to main content
Version: 8.2411.x.x RR

PUK

This table lists the policy parameters specific to PUK credentials.

In addition to the policy parameters defined in this table, the policy parameter defined in the table in the chapter All credential types is also valid for PUK credentials.

NameData Type, ValuesDefaultDescription
credentialLifetimeData type: int (>0)10 years in
milliseconds
The time to live of the PUK credential in milliseconds. After the defined period of time, the user will not be able to log in with this PUK credential anymore.
maxCredFailureCountData type: int (>0) or -13Maximum number of login failures before a PUK is locked. If set to "-1", the max. failure counter is disabled.
maxCredSuccessCountData type: int (>0)5Maximum number of successful logins before the PUK is locked.
plainValueExposedToCallerData type: booleanfalseIf this parameter is true, the plain value of the PUK credential will be returned by the web services or written to the returned Excel template in case of user import. Generally, we do not recommend enabling this parameter because it decreases the security of the PUK credential.
pukCharacterSetData type: Stringabcdefghijklmn
opqrstuvwxyz
ABCDEFGHIJKLMN
OPQRSTUVWXYZ
0123456789
The characters used when generating the PUK.
pukLenData type: int (>-1)30Length of the generated PUK credential. It is communicated to the credential's user.
pukLifetimeData type: int (>0)10 years in millisecondsLifetime of a PUK in milliseconds before a PUK regeneration is needed. The parameter will be read from the policy at every login, i.e., modifications to the parameter will take effect immediately.
sendingMethodData Type: comma-separated list of enums Values: any subset of PDFstore, Print, Email, HTMLemail, PDFemail, SMS_SMTP, None OR PDFstream alonePDFstoreDefines a fallback list of different methods of how a credential should be communicated to the user (if the first method fails for some reason, the second is tried, and so on).
All methods (except None) will fail if the corresponding template is missing or one or more of the mandatory placeholders are empty. If sendingMethod was not defined at all, nevisIDM takes the default value. The default value has no fallbacks. Special sendingMethod for GUI: "PDFstream"This sendingMethod cannot be part of a fallback list. After PUK credential creation or reset, a transient link appears in the CredentialModify view on the GUI. The link can be used to download the communication PDF. If there is an error at PDF generation, the password's plain value will be lost, rendering the credential unusable for the owner. The same happens when the user leaves the view without clicking on the link.
If "PDFstore" is configured, the following additional parameters can be defined:
    PDFstore.destDir (optional): Defines the destination directory where the PDF is to be saved. If the parameter is not configured, the destination directory set in the configuration nevisidm-prod.properties will be used as fallback.
If "SMS_SMTP" is configured, the following additional parameters have to be defined:
    SMS_SMTP.smtp.host (mandatory): host name of the SMTP server. During the startup, the availability of the configured SMTP server is checked.
    SMS_SMTP.smtp.port: port of the SMTP server.
    SMS_SMTP.message.from (mandatory): Sender of the SMS message. It has to be a valid e-mail address.
    SMS_SMTP.message.to (mandatory): Receiver of the SMS message. It has to contain the "${phonenumber}" placeholder. For example: ${phonenumber}@sms.mycompany.ch.
    SMS_SMTP.message.subject (mandatory): Subject of the e-mail sent to the SMTP gateway.
The sending method "PDFemail" requires two templates: one e-mail and one OpenOffice template. If either of the templates are missing, the PDF sending will fail. The credential value will be propagated only to the PDF document. If "PDFemail" is configured, the following additional parameter can be defined:
    PDFemail.htmlEmail (optional, default: false): If the parameter is "true", an HTML e-mail will be sent. Otherwise, a plain text e-mail will be sent.
templatePrecedenceData type: intnullThe precedence number of the template we want to use during the communication with the user. If the parameter is not set, the default template will be used. If no template exists with the given precedence number, an error will occur.
tmpLockingDurationData type: long60000Duration of the temporary locking in milliseconds. Use a tmpLockingDuration of at least 30000 since the exact duration cannot be guaranteed below this value.
tmpLockingModeData type: String Values: strict, thresholdstrictstrict: when the first temporary locking period is over, the user can try to log in only once before the next temporary locking period activates.
threshold: the user can always try "tmpLockingThreshold" times to log in before the next temporary locking period activates.
tmpLockingThresholdData type: int2Number of login failures before a password is temporarily locked.