Version: 7.2402.x.x RR

PUK

This table lists the policy parameters specific to PUK credentials.

In addition to the policy parameters defined in this table, the policy parameter defined in the table in the chapter All credential types is also valid for PUK credentials.

Name	Data Type, Values	Default	Description
credentialLifetime	Data type: int (>0)	10 years in milliseconds	The time to live of the PUK credential in milliseconds. After the defined period of time, the user will not be able to log in with this PUK credential anymore.
maxCredFailureCount	Data type: int (>0) or -1	3	Maximum number of login failures before a PUK is locked. If set to "-1", the max. failure counter is disabled.
maxCredSuccessCount	Data type: int (>0)	5	Maximum number of successful logins before the PUK is locked.
plainValueExposedToCaller	Data type: boolean	false	If this parameter is true, the plain value of the PUK credential will be returned by the web services or written to the returned Excel template in case of user import. Generally, we do not recommend enabling this parameter because it decreases the security of the PUK credential.
pukCharacterSet	Data type: String	abcdefghijklmn opqrstuvwxyz ABCDEFGHIJKLMN OPQRSTUVWXYZ 0123456789	The characters used when generating the PUK.
pukLen	Data type: int (>-1)	30	Length of the generated PUK credential. It is communicated to the credential's user.
pukLifetime	Data type: int (>0)	10 years in milliseconds	Lifetime of a PUK in milliseconds before a PUK regeneration is needed. The parameter will be read from the policy at every login, i.e., modifications to the parameter will take effect immediately.
sendingMethod	Data Type: comma-separated list of enums Values: any subset of PDFstore, Print, Email, HTMLemail, PDFemail, SMS_SMTP, None OR PDFstream alone	PDFstore	Defines a fallback list of different methods of how a credential should be communicated to the user (if the first method fails for some reason, the second is tried, and so on). All methods (except None) will fail if the corresponding template is missing or one or more of the mandatory placeholders are empty. If sendingMethod was not defined at all, nevisIDM takes the default value. The default value has no fallbacks. Special sendingMethod for GUI: "PDFstream"This sendingMethod cannot be part of a fallback list. After PUK credential creation or reset, a transient link appears in the CredentialModify view on the GUI. The link can be used to download the communication PDF. If there is an error at PDF generation, the password's plain value will be lost, rendering the credential unusable for the owner. The same happens when the user leaves the view without clicking on the link. If "PDFstore" is configured, the following additional parameters can be defined: PDFstore.destDir (optional): Defines the destination directory where the PDF is to be saved. If the parameter is not configured, the destination directory set in the configuration nevisidm-prod.properties will be used as fallback. If "SMS_SMTP" is configured, the following additional parameters have to be defined: SMS_SMTP.smtp.host (mandatory): host name of the SMTP server. During the startup, the availability of the configured SMTP server is checked. SMS_SMTP.smtp.port: port of the SMTP server. SMS_SMTP.message.from (mandatory): Sender of the SMS message. It has to be a valid e-mail address. SMS_SMTP.message.to (mandatory): Receiver of the SMS message. It has to contain the "${phonenumber}" placeholder. For example: `${phonenumber}@sms.mycompany.ch`. SMS_SMTP.message.subject (mandatory): Subject of the e-mail sent to the SMTP gateway. The sending method "PDFemail" requires two templates: one e-mail and one OpenOffice template. If either of the templates are missing, the PDF sending will fail. The credential value will be propagated only to the PDF document. If "PDFemail" is configured, the following additional parameter can be defined: PDFemail.htmlEmail (optional, default: false): If the parameter is "true", an HTML e-mail will be sent. Otherwise, a plain text e-mail will be sent.
templatePrecedence	Data type: int	null	The precedence number of the template we want to use during the communication with the user. If the parameter is not set, the default template will be used. If no template exists with the given precedence number, an error will occur.
tmpLockingDuration	Data type: long	60000	Duration of the temporary locking in milliseconds. Use a tmpLockingDuration of at least 30000 since the exact duration cannot be guaranteed below this value.
tmpLockingMode	Data type: String Values: strict, threshold	strict	strict: when the first temporary locking period is over, the user can try to log in only once before the next temporary locking period activates. threshold: the user can always try "tmpLockingThreshold" times to log in before the next temporary locking period activates.
tmpLockingThreshold	Data type: int	2	Number of login failures before a password is temporarily locked.