High-Availability and Password Policy Options

The SAP ASE high-availability functionality synchronizes these password policy options between primary and secondary servers:

  • disallow simple passwords

  • min digits in password

  • min alpha in password

  • min special char in password

  • min upper char in password

  • min lower char in password

  • systemwide password expiration

  • password exp warn interval

  • minimum password length

  • maximum failed login

  • expire login

  • keypair regeneration period

  • keypair error retry wait

  • keypair error retry count

The SAP ASE server uses a “password policy” quorum attribute to check the inconsistency of any of those values on both the primary and secondary servers, except keypair regeneration period, keypair error retry wait, and keypair error retry count. A high-availability advisory check succeeds when all those value are the same on both servers, and fail when the values differ. For example:

sp_companion "MONEY1", do_advisory, 'all'
Attribute Name   Attrib Type  Local Value  Remote Value  Advisory
--------------   -----------  -----------  -----------  ------
expire login     password po   1            0            2
maximum failed   password po   3            5            2
min alpha in pa  assword po   10           12            2

A value of 2 set in the advisory column of the output indicates that the user cannot proceed with the cluster operation unless the values on both the companions match.

The output of sp_companion do_advisory also indicates the inconsistency in any of the particular password policy checks on both servers.