IBM Support

PH18467: ENHANCED FILE-BASED AND DATABASE REPOSITORY PASSWORD HASHING ALGORITHMS

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as new function.

Error description

  • The file-based and database repository in federated
    repositories are initialized to use SHA-1. This is a rather
    insecure algorithm. The repositories should be updated so the
    repositories support, and default to, more complex hashing
    algorithms.
    

Local fix

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  All users of IBM WebSphere Application      *
    *                  Server federated file-based and database    *
    *                  repositories                                *
    ****************************************************************
    * PROBLEM DESCRIPTION: The file and database repositories      *
    *                      default to SHA-1, which is insecure.    *
    ****************************************************************
    * RECOMMENDATION:                                              *
    ****************************************************************
    The file and database repositories default to SHA-1, which is
    insecure.
    

Problem conclusion

  • The database and file repositories were updated to support,
    and default to PBKDF2WithHmacSHA1 with larger key and salt
    sizes, as well as a larger number of hashing iterations. These
    parameters are configurable either in the web console or by
    using wsadmin commands.
    
    When using the database repository with a database that is
    shared across multiple servers, care should be taken to not
    use the new algorithms when all servers using the database are
    not up-level from the fix. Doing so could result in all
    down-level servers failing authentication for users whose
    passwords are hashed with the new algorithm.
    
    The fix for this APAR is currently targeted for inclusion in
    fix pack 9.0.5.1 and 8.5.5.17.  Please refer to the Recommended
    Updates page for delivery information:
    http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
    

Temporary fix

Comments

APAR Information

  • APAR number

    PH18467

  • Reported component name

    WEBSPHERE APP S

  • Reported component ID

    5724J0800

  • Reported release

    850

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2019-10-25

  • Closed date

    2019-10-25

  • Last modified date

    2019-10-25

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    WEBSPHERE APP S

  • Fixed component ID

    5724J0800

Applicable component levels

  • R850 PSY

       UP

[{"Business Unit":{"code":"BU053","label":"Cloud \u0026 Data Platform"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"850","Line of Business":{"code":"LOB36","label":"IBM Automation"}}]

Document Information

Modified date:
14 October 2021