Update node authentication policy and password complexity configuration

Update the currently configured authentication policy and password complexity on the node.
If any of api_max_auth_failures, api_failed_auth_reset_period, or
api_failed_auth_lockout_period are modified, the http service is
automatically restarted.
Whereas change in any password complexity will not be applicable on already configured
user passwords. Administrators need to enforce password change for existing user accounts
in order to match newly configured complexity requirements enforced in system.
All values from AuthenticationPolicyProperties are in sync among the management cluster nodes.

Request:

Method:

PUT

URI Path(s):

/api/v1/transport-nodes/{transport-node-id}/node/aaa/auth-policy
/api/v1/cluster/{cluster-node-id}/node/aaa/auth-policy
/api/v1/node/aaa/auth-policy

Request Headers:

n/a

Query Parameters:

n/a

Request Body:

AuthenticationPolicyProperties+

AuthenticationPolicyProperties (schema)

Name	Description	Type	Notes
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_retry_prompt	Prompt user at most N times before returning with error.	integer	Readonly Default: "3"
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
api_failed_auth_lockout_period	Lockout period in seconds Once a lockout occurs, the account remains locked out of the API for this time period. Only applies to NSX Manager nodes. Ignored on other node types.	integer	Minimum: 0 Default: "900"
api_failed_auth_reset_period	Period, in seconds, for authentication failures to trigger lockout In order to trigger an account lockout, all authentication failures must occur in this time window. If the reset period expires, the failed login count is reset to zero. Only applies to NSX Manager nodes. Ignored on other node types.	integer	Minimum: 0 Default: "900"
api_max_auth_failures	Number of authentication failures that trigger API lockout Only applies to NSX Manager nodes. Ignored on other node types.	integer	Minimum: 0 Default: "5"
cli_failed_auth_lockout_period	Lockout period in seconds Once a lockout occurs, the account remains locked out of the CLI for this time period. While the lockout period is in effect, additional authentication attempts restart the lockout period, even if a valid password is specified.	integer	Minimum: 0 Maximum: 604800 Default: "900"
cli_max_auth_failures	Number of authentication failures that trigger CLI lockout	integer	Minimum: 0 Maximum: 10 Default: "5"
digits	Number of digits in password Number of digits (0..9) expected in user password. N < 0, to set minimum credit for having digits in the new password, i.e. this is the minimum number of digits that must be met for a new password. N > 0, to set maximum credit for having digits in the new password, i.e. per occurrence of digit in password will attribute additional credit of +1 towards meeting the current minimum_password_length value upto N digits. N = 0, policy will be not applicable. By default minimum 1 digit is required for a new password.	integer	Minimum: -128 Maximum: 128 Default: "-1"
hash_algorithm	Hash algorithm Sets hash/cryptographic algorithm type for new passwords.	string	Enum: sha512, sha256 Default: "sha512"
lower_chars	Number of lower-case characters in password Number of lower case characters (a..z) expected in user password. N < 0, to set minimum credit for having lower case characters in the new password, i.e. this is the minimum number of lower case characters that must be met for a new password. N > 0, to set maximum credit for having lower case characters in the new password, i.e. per occurrence of lower case character in password will attribute additional credit of +1 towards meeting the current minimum_password_length value upto N lower case characters. N = 0, policy will be not applicable. By default minimum 1 lower case character is required for a new password.	integer	Minimum: -128 Maximum: 128 Default: "-1"
max_repeats	Number of same consecutive characters Reject passwords which contain more than N same consecutive characters, like aaa or 7777. To disable the check, value should be set to 0.	integer	Minimum: 0 Maximum: 128 Default: "0"
max_sequence	Length of permissible monotonic sequence in password substring Reject passwords which contain more than N monotonic character sequences. Monotonic sequences can be '12345' or 'fedcb'. To disable the check, value should be set to 0.	integer	Minimum: 0 Maximum: 128 Default: "0"
maximum_password_length	Maximum password length Maximum number of characters allowed in password; user can not set their password of length greater than this parameter. By default maximum length of password is 128 characters.	integer	Minimum: 8 Maximum: 128 Default: "128"
minimum_password_length	Minimum password length Minimum number of characters expected in password; user can not set their password of length less than this parameter. NOTE, for existing users upgrading to NSX-T datacenter version 4.0 or above - if existing appliance is configured with `minimum_password_length` less than current default value, then upgraded appliance will reset the configured setting back to recommended default; which can be explicitly modified back to original value or any other integer greater than or equal to supported minimum value. VMware recommends to set strong passwords for systems and appliances, further suggests to maintain strong `minimum_password_length` value. NSX resets this value to default and recommends to maintain upgraded default value or above for password complexity requirement. If any existing user passwords are set with length of less than newly configured `minimum_password_length`, then its recommended to reset the user passwords as per newly configured password complexity compliance. If existing `minimum_password_length` is greater than or equal to default value, which shall be retained as it is in newly upgraded appliance. By default minimum length of password is 12 characters and passwords less than 8 characters are never allowed.	integer	Minimum: 8 Maximum: 128 Default: "12"
minimum_unique_chars	Number of unique characters from old password Number of character changes in the new password that differentiate it from the old password. To disable the check, value should be set to 0.	integer	Minimum: 0 Maximum: 128 Default: "0"
password_remembrance	Password remembrance from previous generations Limit using a password that was used in past; users can not set the same password within the N generations. To disable the check, value should be set to 0.	integer	Minimum: 0 Default: "0"
special_chars	Number of special characters in password Number of special characters (!@#$&..) expected in user password. N < 0, to set minimum credit for having special characters in the new password, i.e. this is the minimum number of special characters that must be met for a new password. N > 0, to set maximum credit for having special characters in the new password, i.e. per occurrence of special case character in password will attribute additional credit of +1 towards meeting the current minimum_password_length* value upto N special case characters. N = 0, policy will be not applicable. By default minimum 1 special character is required for a new password.	integer	Minimum: -128 Maximum: 128 Default: "-1"
upper_chars	Number of upper-case characters in password Number of upper case characters (A..Z) expected in user password. N < 0, to set minimum credit for having upper case characters in the new password, i.e. this is the minimum number of lower case characters that must be met for a new password. N > 0, to set maximum credit for having upper case characters in the new password, i.e. per occurrence of upper case character in password will attribute additional credit of +1 towards meeting the current minimum_password_length value upto N upper case characters. N = 0, policy will be not applicable. By default minimum 1 upper case character is required for a new password.	integer	Minimum: -128 Maximum: 128 Default: "-1"

Example Request:

PUT https://<nsx-mgr>/api/v1/node/aaa/auth-policy { "minimum_password_length": 15 }

Successful Response:

Response Code:

202 Accepted

Response Headers:

Content-type: application/json

Response Body:

AuthenticationPolicyProperties+

AuthenticationPolicyProperties (schema)

Name	Description	Type	Notes
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_retry_prompt	Prompt user at most N times before returning with error.	integer	Readonly Default: "3"
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
api_failed_auth_lockout_period	Lockout period in seconds Once a lockout occurs, the account remains locked out of the API for this time period. Only applies to NSX Manager nodes. Ignored on other node types.	integer	Minimum: 0 Default: "900"
api_failed_auth_reset_period	Period, in seconds, for authentication failures to trigger lockout In order to trigger an account lockout, all authentication failures must occur in this time window. If the reset period expires, the failed login count is reset to zero. Only applies to NSX Manager nodes. Ignored on other node types.	integer	Minimum: 0 Default: "900"
api_max_auth_failures	Number of authentication failures that trigger API lockout Only applies to NSX Manager nodes. Ignored on other node types.	integer	Minimum: 0 Default: "5"
cli_failed_auth_lockout_period	Lockout period in seconds Once a lockout occurs, the account remains locked out of the CLI for this time period. While the lockout period is in effect, additional authentication attempts restart the lockout period, even if a valid password is specified.	integer	Minimum: 0 Maximum: 604800 Default: "900"
cli_max_auth_failures	Number of authentication failures that trigger CLI lockout	integer	Minimum: 0 Maximum: 10 Default: "5"
digits	Number of digits in password Number of digits (0..9) expected in user password. N < 0, to set minimum credit for having digits in the new password, i.e. this is the minimum number of digits that must be met for a new password. N > 0, to set maximum credit for having digits in the new password, i.e. per occurrence of digit in password will attribute additional credit of +1 towards meeting the current minimum_password_length value upto N digits. N = 0, policy will be not applicable. By default minimum 1 digit is required for a new password.	integer	Minimum: -128 Maximum: 128 Default: "-1"
hash_algorithm	Hash algorithm Sets hash/cryptographic algorithm type for new passwords.	string	Enum: sha512, sha256 Default: "sha512"
lower_chars	Number of lower-case characters in password Number of lower case characters (a..z) expected in user password. N < 0, to set minimum credit for having lower case characters in the new password, i.e. this is the minimum number of lower case characters that must be met for a new password. N > 0, to set maximum credit for having lower case characters in the new password, i.e. per occurrence of lower case character in password will attribute additional credit of +1 towards meeting the current minimum_password_length value upto N lower case characters. N = 0, policy will be not applicable. By default minimum 1 lower case character is required for a new password.	integer	Minimum: -128 Maximum: 128 Default: "-1"
max_repeats	Number of same consecutive characters Reject passwords which contain more than N same consecutive characters, like aaa or 7777. To disable the check, value should be set to 0.	integer	Minimum: 0 Maximum: 128 Default: "0"
max_sequence	Length of permissible monotonic sequence in password substring Reject passwords which contain more than N monotonic character sequences. Monotonic sequences can be '12345' or 'fedcb'. To disable the check, value should be set to 0.	integer	Minimum: 0 Maximum: 128 Default: "0"
maximum_password_length	Maximum password length Maximum number of characters allowed in password; user can not set their password of length greater than this parameter. By default maximum length of password is 128 characters.	integer	Minimum: 8 Maximum: 128 Default: "128"
minimum_password_length	Minimum password length Minimum number of characters expected in password; user can not set their password of length less than this parameter. NOTE, for existing users upgrading to NSX-T datacenter version 4.0 or above - if existing appliance is configured with `minimum_password_length` less than current default value, then upgraded appliance will reset the configured setting back to recommended default; which can be explicitly modified back to original value or any other integer greater than or equal to supported minimum value. VMware recommends to set strong passwords for systems and appliances, further suggests to maintain strong `minimum_password_length` value. NSX resets this value to default and recommends to maintain upgraded default value or above for password complexity requirement. If any existing user passwords are set with length of less than newly configured `minimum_password_length`, then its recommended to reset the user passwords as per newly configured password complexity compliance. If existing `minimum_password_length` is greater than or equal to default value, which shall be retained as it is in newly upgraded appliance. By default minimum length of password is 12 characters and passwords less than 8 characters are never allowed.	integer	Minimum: 8 Maximum: 128 Default: "12"
minimum_unique_chars	Number of unique characters from old password Number of character changes in the new password that differentiate it from the old password. To disable the check, value should be set to 0.	integer	Minimum: 0 Maximum: 128 Default: "0"
password_remembrance	Password remembrance from previous generations Limit using a password that was used in past; users can not set the same password within the N generations. To disable the check, value should be set to 0.	integer	Minimum: 0 Default: "0"
special_chars	Number of special characters in password Number of special characters (!@#$&..) expected in user password. N < 0, to set minimum credit for having special characters in the new password, i.e. this is the minimum number of special characters that must be met for a new password. N > 0, to set maximum credit for having special characters in the new password, i.e. per occurrence of special case character in password will attribute additional credit of +1 towards meeting the current minimum_password_length* value upto N special case characters. N = 0, policy will be not applicable. By default minimum 1 special character is required for a new password.	integer	Minimum: -128 Maximum: 128 Default: "-1"
upper_chars	Number of upper-case characters in password Number of upper case characters (A..Z) expected in user password. N < 0, to set minimum credit for having upper case characters in the new password, i.e. this is the minimum number of lower case characters that must be met for a new password. N > 0, to set maximum credit for having upper case characters in the new password, i.e. per occurrence of upper case character in password will attribute additional credit of +1 towards meeting the current minimum_password_length value upto N upper case characters. N = 0, policy will be not applicable. By default minimum 1 upper case character is required for a new password.	integer	Minimum: -128 Maximum: 128 Default: "-1"

Response Code:

200 OK

Response Headers:

Content-type: application/json

Response Body:

AuthenticationPolicyProperties+

AuthenticationPolicyProperties (schema)

Name	Description	Type	Notes
_links	References related to this resource The server will populate this field when returing the resource. Ignored on PUT and POST.	array of ResourceLink	Readonly
_retry_prompt	Prompt user at most N times before returning with error.	integer	Readonly Default: "3"
_schema	Schema for this resource	string	Readonly
_self	Link to this resource	SelfResourceLink	Readonly
api_failed_auth_lockout_period	Lockout period in seconds Once a lockout occurs, the account remains locked out of the API for this time period. Only applies to NSX Manager nodes. Ignored on other node types.	integer	Minimum: 0 Default: "900"
api_failed_auth_reset_period	Period, in seconds, for authentication failures to trigger lockout In order to trigger an account lockout, all authentication failures must occur in this time window. If the reset period expires, the failed login count is reset to zero. Only applies to NSX Manager nodes. Ignored on other node types.	integer	Minimum: 0 Default: "900"
api_max_auth_failures	Number of authentication failures that trigger API lockout Only applies to NSX Manager nodes. Ignored on other node types.	integer	Minimum: 0 Default: "5"
cli_failed_auth_lockout_period	Lockout period in seconds Once a lockout occurs, the account remains locked out of the CLI for this time period. While the lockout period is in effect, additional authentication attempts restart the lockout period, even if a valid password is specified.	integer	Minimum: 0 Maximum: 604800 Default: "900"
cli_max_auth_failures	Number of authentication failures that trigger CLI lockout	integer	Minimum: 0 Maximum: 10 Default: "5"
digits	Number of digits in password Number of digits (0..9) expected in user password. N < 0, to set minimum credit for having digits in the new password, i.e. this is the minimum number of digits that must be met for a new password. N > 0, to set maximum credit for having digits in the new password, i.e. per occurrence of digit in password will attribute additional credit of +1 towards meeting the current minimum_password_length value upto N digits. N = 0, policy will be not applicable. By default minimum 1 digit is required for a new password.	integer	Minimum: -128 Maximum: 128 Default: "-1"
hash_algorithm	Hash algorithm Sets hash/cryptographic algorithm type for new passwords.	string	Enum: sha512, sha256 Default: "sha512"
lower_chars	Number of lower-case characters in password Number of lower case characters (a..z) expected in user password. N < 0, to set minimum credit for having lower case characters in the new password, i.e. this is the minimum number of lower case characters that must be met for a new password. N > 0, to set maximum credit for having lower case characters in the new password, i.e. per occurrence of lower case character in password will attribute additional credit of +1 towards meeting the current minimum_password_length value upto N lower case characters. N = 0, policy will be not applicable. By default minimum 1 lower case character is required for a new password.	integer	Minimum: -128 Maximum: 128 Default: "-1"
max_repeats	Number of same consecutive characters Reject passwords which contain more than N same consecutive characters, like aaa or 7777. To disable the check, value should be set to 0.	integer	Minimum: 0 Maximum: 128 Default: "0"
max_sequence	Length of permissible monotonic sequence in password substring Reject passwords which contain more than N monotonic character sequences. Monotonic sequences can be '12345' or 'fedcb'. To disable the check, value should be set to 0.	integer	Minimum: 0 Maximum: 128 Default: "0"
maximum_password_length	Maximum password length Maximum number of characters allowed in password; user can not set their password of length greater than this parameter. By default maximum length of password is 128 characters.	integer	Minimum: 8 Maximum: 128 Default: "128"
minimum_password_length	Minimum password length Minimum number of characters expected in password; user can not set their password of length less than this parameter. NOTE, for existing users upgrading to NSX-T datacenter version 4.0 or above - if existing appliance is configured with `minimum_password_length` less than current default value, then upgraded appliance will reset the configured setting back to recommended default; which can be explicitly modified back to original value or any other integer greater than or equal to supported minimum value. VMware recommends to set strong passwords for systems and appliances, further suggests to maintain strong `minimum_password_length` value. NSX resets this value to default and recommends to maintain upgraded default value or above for password complexity requirement. If any existing user passwords are set with length of less than newly configured `minimum_password_length`, then its recommended to reset the user passwords as per newly configured password complexity compliance. If existing `minimum_password_length` is greater than or equal to default value, which shall be retained as it is in newly upgraded appliance. By default minimum length of password is 12 characters and passwords less than 8 characters are never allowed.	integer	Minimum: 8 Maximum: 128 Default: "12"
minimum_unique_chars	Number of unique characters from old password Number of character changes in the new password that differentiate it from the old password. To disable the check, value should be set to 0.	integer	Minimum: 0 Maximum: 128 Default: "0"
password_remembrance	Password remembrance from previous generations Limit using a password that was used in past; users can not set the same password within the N generations. To disable the check, value should be set to 0.	integer	Minimum: 0 Default: "0"
special_chars	Number of special characters in password Number of special characters (!@#$&..) expected in user password. N < 0, to set minimum credit for having special characters in the new password, i.e. this is the minimum number of special characters that must be met for a new password. N > 0, to set maximum credit for having special characters in the new password, i.e. per occurrence of special case character in password will attribute additional credit of +1 towards meeting the current minimum_password_length* value upto N special case characters. N = 0, policy will be not applicable. By default minimum 1 special character is required for a new password.	integer	Minimum: -128 Maximum: 128 Default: "-1"
upper_chars	Number of upper-case characters in password Number of upper case characters (A..Z) expected in user password. N < 0, to set minimum credit for having upper case characters in the new password, i.e. this is the minimum number of lower case characters that must be met for a new password. N > 0, to set maximum credit for having upper case characters in the new password, i.e. per occurrence of upper case character in password will attribute additional credit of +1 towards meeting the current minimum_password_length value upto N upper case characters. N = 0, policy will be not applicable. By default minimum 1 upper case character is required for a new password.	integer	Minimum: -128 Maximum: 128 Default: "-1"

Example Response:

{ "_schema": "AuthenticationPolicyProperties", "_self": { "href": "/node/aaa/auth-policy", "rel": "self" }, "api_failed_auth_lockout_period": 900, "api_failed_auth_reset_period": 900, "api_max_auth_failures": 5, "cli_failed_auth_lockout_period": 900, "cli_max_auth_failures": 5, "minimum_password_length": 15, "maximum_password_length": 128, "lower_chars": -1, "upper_chars": -1, "digits": -1, "special_chars": -1, "minimum_unique_chars": 0, "max_repeats": 0, "max_sequence": 0, "hash_algorithm": "sha512", "password_remembrance": 0, "_retry_prompt": 3 }

Update node authentication policy and password complexity configuration

Request:

AuthenticationPolicyProperties (schema)

Example Request:

Successful Response:

AuthenticationPolicyProperties (schema)

AuthenticationPolicyProperties (schema)

Example Response:

Required Permissions:

Feature:

Additional Errors: