The Policy > Application Policy screen (Figure 21-6) is where you set login and password policies for an application. This feature maintains audit log of security policy changes that you can view in the log viewer in the OMC. You should typically see entries for logon, logoff, and other security events including policy changes. Double click a listed item in the dialog to open the panel that modifies it below.
Figure 21-6 Application Security Policy Browser
Login prompts for user name, password, and application server. This stores a default application server in a configuration file and locks out user accounts after a specified number of login attempts. It also returns a system-configurable message (Privacy Warning) when user authentication fails. It lets users establish concurrent client connections, uniquely identified by UserId, IPAddress, JVMId and Timestamp. Users are prompted to change their password on their initial login, and prompted for a new password during the expiration-warning period. When the period expires, this forces users to change expired passwords.
Click on one of the selectable items in the tree on the left to set various aspects of the following:
• Login Policy -- Login Attempts, Idle Account Age, Privacy Warning, Lockout Period, Expired Account Age.
• Idle Account Age --Age for disabling accounts with no logins for a period of time.
• Privacy Warning -- The text that warns unauthorized logins.
• Login attempts -- The number of failed login attempts before account is locked out.
• Inactivity Timeout -- The period of inactivity before Oware terminates a client in the application. Setting this to zero means clients are never terminated for inactivity.
The Inactivity Timeout for clients defaults to 30 minutes.
• The Lockout period -- The period before an account is automatically reset. (Zero  requires administrator to trigger reset of account.)
• Expired Account Age -- This is for disabling accounts with expired password and no logins for a period of time
• Password Policy -- Password Expiration Warning, Password Expiration Age, Password History.
• Password history limit 1-100.
• The Password Expiration Age – weeks.
• Password expiration warning – weeks/days.
• Password Constraints -- Require a number, Allow Password Reuse, Minimum Password Length, Allow UserID in Password, Require a special character, Require Mixed Case.
When you select one of the policies displayed in the right of the Browser, the lower right panel displays an explanation and the means to alter the policy. Clicking the Save button in this lower right panel confirms and saves the policy change.
User ID and Password is encrypted using 3DES before persisting or sending over a network.
The Security Events describes the events Oware emits based on policies in User Monitor and in Security Policy.