3.4.4 Setting the password save format

You can improve password security by changing the format in which passwords are stored from hash level 1 to hash level 2. The format defaults to hash level 1 when omitted from the common definition information. You do not need to change the password save format on any host other than the authentication server. Linked users who are authenticated by a directory server are not affected by this setting.

Note the following when changing the password save format:

• The accounts of JP1 users registered with an authentication server (except for users linked to a directory server) must be deleted and re-registered after you change the password save format. Until you do so, these users cannot undergo user authentication or change their passwords.

• The password save format must be the same on the primary authentication server and the secondary authentication server.

• After you change the password save format to hash level 2, any host other than an authentication server that issues a command to configure a JP1 user must be running version 10-00 or later of JP1/Base. If the jbsadduser command is executed from a host running version 09-00 or earlier, the message KAVA5023-E is output. If the jbschgpasswd command is executed, the message KAVA5223-E is output. In either case, the command terminates abnormally.

To change the format in which passwords are saved:

1. On the primary authentication server, create a definition file with the following contents.

   You can choose any name for the file.

   [JP1_DEFAULT\JP1BASE\]
   "HASH_LEVEL"=dword:{00000001|00000002}

   1: Operates in hash level 1 mode.

   2: Operates in hash level 2 mode.

   On a logical host, replace JP1_DEFAULT with the logical host name.

2. Execute the jbssetcnf command.

   jbssetcnf definition-file-name

   The contents of the new definition file are applied to the common definition information on the primary authentication server.

3. Start the primary authentication server.

4. Execute the jbsrmuser command.

   Of the JP1 users registered on the authentication server, delete all JP1 users who are not linked to the directory server. You do not need to delete access permissions.

5. Re-register the JP1 users you deleted.

   Re-register all the JP1 users you deleted in step 4.

6. Copy the settings from the primary authentication server to the secondary authentication server.

   For details, see 8.1.4 Copying settings from the primary authentication server or 8.3.4 Copying settings from the primary authentication server.

7. Create a definition file on the secondary authentication server.

   You can choose any name for the file. Specify the parameter in the same format as step 1.

   If the primary and secondary authentication servers are both physical hosts, you can simply copy the definition file you used in step 2 to the secondary authentication server. In all other scenarios, create separate definition files for the primary and secondary authentication servers.

8. Execute the jbssetcnf command.

   jbssetcnf definition-file-name

   The contents of the definition file you created in step 7 or the definition file you copied from the primary authentication server are applied to the common definition information on the secondary authentication server.

9. Start the secondary authentication server.

   The password save format is changed.

To Page Top