New cybersecurity requirements in NMC3

To comply with stricter cybersecurity requirements across various product groups, it is recommended that customers review their username/password lists in Data Center Expert and EcoStruxure IT Gateway and and confirm that those listed are both active and accurate.

In particular, some APC NMC3 devices may have bad login attempt limits configured that can prohibit successful device discovery or completing specific tasks. Repeated failed attempts to log into devices can adversely affect DDF downloads, device launch, device configuration, and firmware updates.

To comply with stricter cybersecurity rules, the NMC3 web UI now reports the error condition for bad login attempt limit exceeded as Invalid user name or password instead of Account locked out as in prior firmware versions (2.3.1.1 and older). 

When the number of failed login attempts is exceeded, a one hour wait time is required before another login attempt, or before the superuser or an admin level account can unlock the account. By default, there is no admin level account other than the superuser; you must create one.

The Bad login attempts setting defaults to 5. In prior versions, the default was 0 (unlimited). You can increase this value up to 99.

Log in to the NMC3 UI and go to Configuration > Security > Local users > Default Settings to check this setting.

NMC3 version 2.4

In version 2.4, the superuser account cannot be locked out by the Bad login attempts setting.

NMC3 version 2.5

In version 2.5, the superuser account can also be locked out by the Bad login attempts setting.

If the superuser is locked out and a separate admin level account was never created, you must wait the full hour for the lockout timer to end before attempting to login in again, or format the NMC, which resets the NMC to factory default and wipes all configuration and related items.