Upgrading the OpenPages password encryption algorithm to AES encryption

Applies to: On premises

Determine the password encryption algorithm that your environment is using and upgrade it to AES encryption.

About this task

If your OpenPages® environment is using the OP-CUSTOM or 3DES encryption algorithm, change the encryption algorithm to AES, which is more secure.

To determine the encryption algorithm that your environment is using, examine the ALGORITHMNAME value of the ENCRYPTIONMODULES table entry that has an INACTIVE value of 0.

Procedure

  1. Edit the <OP_HOME>/aurora/conf/aurora.properties file and the <OP_HOME>/aurora/bin/op-backup-restore.env file and change any encrypted passwords to plain text.
    • If you are using 3DES, look for lines that contain {3DES}.

      For example, suppose the aurora.properties file contains the following line: database.PASSWORD={3DES}Rj+steg+3eU7kb8O+\=\=. The database password is encrypted with the 3DES algorithm. Replace the encrypted password with the password in plain text, for example, database.PASSWORD=db_password.

    • If you are using OP-CUSTOM, the lines do not have an algorithm indicator. Look for encrypted passwords and change each of them to the password in plain text.

    The passwords are encrypted with the AES algorithm when you restart the OpenPages services in step 3.

  2. Open a command or shell window on the OpenPages application server.

    Go to the <OP_HOME>/bin directory.

    From the command or shell window, run the following command on a single line: 

    UpdatePasswordEncryptionAlgorithm.sh|.cmd -Mode CA -AlgorithmName AES -ProviderName BC -ProviderClass org.bouncycastle.jce.provider.BouncyCastleProvider -KeySize 128 -Username <OpenPagesAdministrator> -Password <OpenPagesAdministratorPassword>
  3. Restart all OpenPages services.
  4. If you are changing from OP-CUSTOM to AES and you use OpenPages to authenticate users, notify all users that their passwords have been reset to 0p3nP4g3s and that they must change their passwords the next time they log on to the system.
    Note: If you are using Single Sign-On (SSO), LDAP, or another external system to authenticate users, passwords are not reset.