Password encryption properties
Password encryption properties are used to configure password encryption.
Encryption properties page defines the properties used to configure password encryption.
Encryption properties
enrole.encryption.algorithm
-
Do not modify this property key and value.
Specifies the cipher suite to use for encryption. For example,
AES
orPBEWithMD5AndDES
.Example (default):
enrole.encryption.algorithm=AES
enrole.encryption.password
-
Do not modify this property key and value. This value is specified during IBM Verify Identity Governance installation.
The value of the
enrole.encryption.password
property is moved into theencryptionKey
property file. The value is encoded by default and is stored in theencryptionKey
property file.For Password-Based Encryption (PBE) encryption algorithms (used for upgraded IBM® Security Identity Manager Version 4.6 installations), specifies the encrypted password used as an input parameter for Password-Based Encryption (PBE). PBE is a method of encrypting and decrypting data with a secret key based on a user-supplied password. For example, encrypted data includes shared secrets, service passwords, and some protected account attributes.
Specifies the keystore password, in encrypted format, when AES is the encryption algorithm. For non-PBE based encryption algorithms (used for new IBM Security Identity Manager Version 5.0 installations), the password is used to encrypt the keystore that stores the private key. For more information about this property, see the
enrole.encryption.keystore
property.This value is specified during IBM Verify Identity Governance installation.
enrole.encryption.passwordDigest
-
Do not modify this property key and value.
Specifies the type of password digest used for an IBM Verify Identity Governance password. Upgrading Tivoli® Identity Manager from Version 4.6 continues to use the original hash algorithm until users change their passwords. This original algorithm is defined by the property
enrole.pre50.encryption.passwordDigest
. Valid values are:- SHA-256 – Federal Information Processing Standards (FIPS)-approved hashing algorithm used by IBM Tivoli Identity Manager Version 5.0 for passwords. A random salt value is added to the data before it is hashed.
- SHA-384 – Federal Information Processing Standards (FIPS)-approved hashing algorithm, providing 384 bits of security (by truncating the output of the SHA-512 algorithm). A random salt value is added to the data before it is hashed.
- SHA-512 – Federal Information Processing Standards (FIPS)-approved hashing algorithm, providing 512 bits of security. A random salt value is added to the data before it is hashed.
Example (default):
enrole.encryption.passwordDigest=SHA-256
enrole.pre50.encryption.passwordDigest
-
Do not modify this property key and value. Upgrading IBM Security Identity Manager from Version 4.6 adds this property dynamically to this properties file.
Specifies the type of password digest used for IBM Verify Identity Governance password data from IBM Security Identity Manager versions before 5.0. The lack of a ":" in an encrypted IBM Verify Identity Governance password value is used to identify such migrated data.Note: All new passwords, including changed migrated passwords, are stored with theenrole.encryption.passwordDigest
algorithm.Example (default for migrated installations, not present for new installations):
enrole.pre50.encryption.passwordDigest=MD5
enrole.encryption.keystore
-
Do not modify this property key and value.
Specifies the keystore file name used to contain the randomly generated secret key for non-PBE based encryption algorithms, such as AES. This keystore file is protected with the enrole.encryption.password value. This file is in the IM_HOME\data\keystore directory.
Example (default):
enrole.encryption.keystore=itimKeystore.jceks