password-hash-algorithm

This command sets the hash algorithm to apply to passwords before they are stored.

Syntax

password-hash-algorithm { md5crypt | sha256crypt }

Parameters

md5crypt: Uses MD5 Crypt as the hash algorithm. This setting is the default value.
sha256crypt: Uses SHA-256 Crypt as the hash algorithm.

Guidelines

Note: On AIX®, Linux®, and Windows, IBM® MQ provides FIPS 140-2 compliance through the IBM Crypto for C (ICC) cryptographic module. The certificate for this module has been moved to the Historical status. Customers should view the IBM Crypto for C (ICC) certificate and be aware of any advice provided by NIST. A replacement FIPS 140-3 module is currently in progress and its status can be viewed by searching for it in the NIST CMVP modules in process list.

The password-hash-algorithm command specifies the hash algorithm that is applied to passwords for locally defined users before the passwords are stored.

In FIPS 140-2 Level 1 mode, the appliance cannot check MD5 Crypt password entries because MD5 is banned in this mode. If any existing account passwords use MD5 Crypt, the appliance refuses to enter FIPS 140-2 Level 1 mode to avoid user lockout. To successfully enter FIPS 140-2 Level 1 mode, you must select sha256crypt and then change the password on any existing user accounts that used MD5 Crypt when last changed.
Firmware releases before 6.0.1 do not support SHA-256 Crypt passwords. If you need to downgrade to a release before 6.0.1, you must select md5crypt and then change the password on any existing user accounts that used SHA-256 Crypt when last changed. Only after such configuration is downgrading to the release before 6.0.1 allowed. This check is to avoid user lockout.

Example

Use the hash algorithm SHA-256 Crypt to apply to passwords before they are stored.

# password-hash-algorithm sha256crypt