3.4.6 Setting the password save format
You can improve password security by changing the format in which passwords are stored from hash level 1 to hash level 2. Note that, if you perform a new installation of JP1/Base version 12-00 or a later version, the format is to set to hash level 2. However, if you perform an upgrade installation from version 11-50 or earlier to version 12-00 or later, and if the format is omitted from the common definition information, the format defaults to hash level 1. If you want to use the same password registered before the over write installation, use the same password save format. If you want to strengthen the password protection, follow the procedure to change password save format and change the password save format to hash level 2 mode. You do not need setting the password save format on any host other than the authentication server. Linked users who are authenticated by a directory server are not affected by this setting.
Note the following when changing the password save format:
-
The accounts of JP1 users registered with an authentication server (except for users linked to a directory server) must be deleted and re-registered after you change the password save format. Until you do so, these users cannot undergo user authentication or change their passwords.
-
The password save format must be the same on the primary authentication server and the secondary authentication server.
-
If the password save format is hash level 2, any host other than an authentication server that issues a command to configure a JP1 user must be running version 10-00 or later of JP1/Base. If the jbsadduser command is executed from a host running version 09-00 or earlier, the message KAVA5023-E is output. If the jbschgpasswd command is executed, the message KAVA5223-E is output. In either case, the command terminates abnormally.
To change the format in which passwords are saved:
-
On the primary authentication server, create a definition file with the following contents.
You can choose any name for the file.
[JP1_DEFAULT\JP1BASE\] "HASH_LEVEL"=dword:{00000001|00000002}1: Operates in hash level 1 mode.
2: Operates in hash level 2 mode.
On a logical host, replace JP1_DEFAULT with the logical host name.
-
Execute the jbssetcnf command.
jbssetcnf definition-file-name
The contents of the new definition file are applied to the common definition information on the primary authentication server.
-
Start the primary authentication server.
-
Execute the jbsrmuser command.
Of the JP1 users registered on the authentication server, delete all JP1 users who are not linked to the directory server. You do not need to delete access permissions.
-
Re-register the JP1 users you deleted.
Re-register all the JP1 users you deleted in step 4.
-
Copy the settings from the primary authentication server to the secondary authentication server.
For details, see 8.1.4 Copying settings from the primary authentication server or 8.3.4 Copying settings from the primary authentication server.
-
Create a definition file on the secondary authentication server.
You can choose any name for the file. Specify the parameter in the same format as step 1.
If the primary and secondary authentication servers are both physical hosts, you can simply copy the definition file you used in step 2 to the secondary authentication server. In all other scenarios, create separate definition files for the primary and secondary authentication servers.
-
Execute the jbssetcnf command.
jbssetcnf definition-file-name
The contents of the definition file you created in step 7 or the definition file you copied from the primary authentication server are applied to the common definition information on the secondary authentication server.
-
Start the secondary authentication server.
The password save format is changed.