Hitachi

JP1 Version 12 JP1/Network Node Manager i Setup Guide

23.3.1 Encryption and user account passwords

Important

This information does not apply to the Lightweight Directory Access Protocol (LDAP) or to Common Access Card (CAC) accounts.

NNMi user accounts created from the NNMi console are stored in the NNMi database. The passwords for these users are hashed and also stored in the database.

When a user signs into the NNMi console, or uses a command line interface (CLI) tool, the password the user provides is hashed and compared to the hashed value stored in the database. If the user provides the correct password, these two hashed strings will match, authenticating the user.

Earlier versions of NNMi (10-50 or earlier) used encryption algorithms for hashing user passwords; these algorithms are now considered outdated. NNMi 11-00 uses a stronger algorithm for user account passwords. However, because hashing constitutes one-way encryption, it is not possible to decrypt and then re-encrypt user passwords during an upgrade from NNMi 10-50 to 11-00.

During an upgrade, all existing users still have their passwords stored in the database using the legacy encryption algorithm. However, when a user whose password has been hashed using the legacy algorithm logs on successfully, the password the user has provided is re-encrypted automatically using the new hash algorithm specified in the crypto configuration file.

This means all passwords are updated to the new algorithm slowly over time, as each user logs in for the first time after the upgrade. The same will be true if the crypto configuration is changed in the future. Each user's password will be upgraded to the new hash algorithm at the time of the user's next successful logon.

Important

  • Upgrading user passwords depends on the presence of the earlier legacy algorithm (for example, MD5) listed in the <allowed> block. For this reason, you must keep the earlier legacy algorithm listed in the <allowed> block until all passwords have been migrated.

  • If the earlier legacy algorithm is not kept in the <allowed> block, it will not be possible to re-hash the existing passwords that exist in hashed form in the database. In such a case, those users will not be able to log on, and NNMi will not be able to use the new algorithm to re-encrypt their passwords.

  • Once the earlier legacy algorithm has been removed from the <allowed> block, the administrator either must delete and re-create the affected users or must reset the passwords for the users whose passwords were encrypted with the earlier legacy algorithm.

Use the following command to determine if a user's password can be used with an algorithm listed in the crypto configuration file or is still encrypted with an earlier legacy algorithm that is no longer specified in the crypto configuration file:

nnmsecurity.ovpl -listUserAccounts legacy

For details, see the nnmsecurity.ovpl Reference Page.

To Page Top

© Copyright 2009-2021 Micro Focus or one of its affiliates.

All Rights Reserved. Copyright (C) 2019, 2021, Hitachi, Ltd.

This software and documentation are based in part on software and documentation under license from Micro Focus or one of its affiliates.