Hi Heinz,
Please refer to the link below for the security policy settings of AS Java.
1) Security Policy for AS Java
Security Policy - Identity Management - SAP Library
2) UME properties for security policy
http://help.sap.com/saphelp_nw70ehp1/helpdata/en/b5/16c43bdd3da244a1d3372a77b5f83f/content.htm
There is a default value for 90 days for password exipry.
Generally Portal is implemented such that corporate LDAP/AD is the datasource and the security policy of the LDAP is then applicable to Portal as well.
Regards
Veera