Changing the password encryption algorithm to PBKDF2 encryption

Applies to: On premises On Cloud

If you're using the AES encryption algorithm for user passwords, you can change to the PBKDF2 one-way hashing algorithm, which is more secure. This task applies when you use OpenPages® to authenticate users.

Before you begin

  • You currently use the AES encryption algorithm for user passwords.
  • Fix pack 9.0.0.1 or later is installed.
  • Ensure that all OpenPages servers are running and that no users are logged on to the system during the password encryption update.

About this task

Note: If you are using Single Sign-On (SSO), LDAP, or another external system to authenticate users, you do not need to do this task.

If your OpenPages environment is using the AES encryption algorithm, you can change to the PBKDF2 one-way hashing algorithm, which is more secure. The PBKDF2 algorithm is used to encrypt user passwords in the OpenPages database.

To determine the encryption algorithm that your environment is using, examine the ALGORITHMNAME value of the ENCRYPTIONMODULES table entry that has an INACTIVE value of 0.

Important: Before you continue, review the following points:
  • The change to PBKDF2 cannot be undone. After you change to PBKDF2, you cannot switch back to AES.
  • After you change the algorithm to a one-way hashing algorithm, user passwords are not recoverable by administrators or by IBM . If a user password is lost or forgotten, it must be reset.

Procedure

  1. Back up OpenPages and the database.
  2. Open a command or shell window on the OpenPages application server.

    Go to the <OP_HOME>/bin directory.

    Run the following command on a single line:
    • The -TempPassword parameter is optional. Use this parameter to reset all user passwords to a temporary password.
    UpdatePasswordEncryptionAlgorithm.sh|.cmd -Mode CA -AlgorithmName PBKDF2 -ProviderName BC -ProviderClass org.bouncycastle.jce.provider.BouncyCastleProvider -KeySize 256 -Username <OpenPagesAdministrator> -Password <OpenPagesAdministratorPassword> -TempPassword <password>

    Wait for the process to complete.

  3. Restart all OpenPages services.
  4. If you used the -TempPassword parameter, notify all users that their passwords have been reset. Give your users the temporary password that you specified and let your users know that they must change their passwords the next time they log in to OpenPages.

Results

User passwords are encrypted with the PBKDF2 one-way hashing algorithm.

Passwords in properties files continue to be encrypted with the AES encryption algorithm.