Skip to main content
Version: 8.2411.x.x RR

Temporary strong password

Policy parameters specific to temporary strong passwords.

In addition to the policy parameters defined in this section, the policy parameter defined in the table in the chapter All credential types is also valid for temporary strong password credentials.

credentialLifetime ticketLifetime

Data type: long (> 0)

Default: 5 days in milliseconds

Description: The time to live (in milliseconds) of the temporary strong password. After the defined period of time, the user will not be able to log in with this password anymore. The parameter credentialLifetime replaces the parameter ticketLifetime. The parameter ticketLifetime is still supported but deprecated.

hashAlgorithm

Data type: enum Values: SSHA, SSHA256

Default: SSHA256

Description: Defines the hash algorithm used for password hashing. Supported are salted SHA-1 (SSHA) and salted SHA-256 (SSHA256). Since nevisIDM 2.21.2.0, SSHA has been marked as deprecated because collision attacks faster than brute force attacks have been found. Additionally, the default of nevisIDM has changed to SSHA256. Note that changing this parameter is fully backward compatible. Only newly created passwords are hashed with the defined algorithm.

templatePrecedence

Data type: int

Default: null

Description: The precedence number of the template we want to use during the communication with the user. If the parameter is not set, the default template will be used. If no template exists with the given precedence number, an error will occur.

ticketCharacterSet

Data type: String

Default: 0123456789abcdefghijklmnopqrstuvwxzyABCDEFGHIJKLMNOPQRSTUVWXYZ

Description: The characters used when generating the temporary strong password.

ticketLen0

Data type: int (> -1)

Default: 30

Description: Length of the first part of the generated password. This part is returned in the response to the caller (SOAP interface) or shown to the administrator (web GUI).

ticketLen1

Data type: int (> -1)

Default: 0

Description: Length of the second part of the generated password. This part is communicated to the credential's user.

ticketReuseEnabled

Data type: boolean

Default: false

Description: If set to "false", the temporary strong password can only be used once. Otherwise, it can be reused.

sendingMethod

Data Type: comma-separated list of enums Values: any subset of PDFstore, Print, Email, HTMLemail, PDFemail, SMS_SMTP, NoneOR PDFstream alone

Default: Email

Description: Defines a fallback list of different methods of how a credential should be communicated to the user (if the first method fails for some reason, the second is tried, and so on).

Method "Email" will fail if the user has no e-mail address or the address is invalid. Method "SMS_SMTP" will fail if the user has no mobile number or the mobile number is invalid. All methods (except None) will fail if the corresponding template is missing or one or more of the mandatory placeholders are empty. If sendingMethod was not defined at all, nevisIDM takes the default value. The default value has no fallbacks.

Special sendingMethod for GUI access only: "PDFstream" This sendingMethod cannot be part of a fallback list. After temporary strong password creation or reset, a transient link appears in the CredentialModify view on the admin GUI. The link can be used to download the communication PDF holding the credential information, which can then be communicated to the user by non-nevisIDM means. If there is an error at PDF generation, the password's plain value will not be known to anybody, thus rendering the credential unusable. The same happens when the administrator leaves the view without downloading the PDF.

If PDFstore is configured, the following additional parameters can be defined:

  • PDFstore.destDir (optional): Defines the destination directory where the PDF is to be saved. If the parameter is not configured, the destination directory set in the configuration nevisidm-prod.properties will be used as fallback.

If "SMS_SMTP" is configured, the following additional parameters have to be defined:

  • SMS_SMTP.smtp.host (mandatory): host name of the SMTP server. During the startup, the availability of the configured SMTP server is checked.
  • SMS_SMTP.smtp.port: port of the SMTP server.
  • SMS_SMTP.message.from (mandatory): Sender of the SMS message. It has to be a valid e-mail address.
  • SMS_SMTP.message.to (mandatory): Receiver of the SMS message. It has to contain the ${phonenumber} placeholder. For example: ${phonenumber}@sms.mycompany.ch.
  • SMS_SMTP.message.subject (mandatory): Subject of the e-mail sent to the SMTP gateway.

The sending method "PDFemail" requires two templates: one e-mail and one OpenOffice template. If either of the templates is missing, the PDF sending will fail. The credential value will be propagated only to the PDF document. If "PDFemail" is configured, the following additional parameter can be defined:

  • PDFemail.htmlEmail (optional, default: false): If the parameter is "true", an HTML e-mail will be sent. Otherwise, a plain text e-mail will be sent.