IBM Support

SE72931 - OSP-OTHER-UNPRED PARTIAL PASSWORD ENTRY CONVERSION NOT
COMPLETING TO SUPPORT ENCRYPTED PASSWORDS IN ADMIN DOMAIN.

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

APAR (Authorized Program Analysis Report)

Abstract

OSP-OTHER-UNPRED PARTIAL PASSWORD ENTRY CONVERSION NOT
COMPLETING TO SUPPORT ENCRYPTED PASSWORDS IN ADMIN DOMAIN.

Error Description

Recently there was a new feature added to the cluster administra
domain (CAD) via cluster modification level 3 to support replica
encrypted passwords in current supported releases of PowerHA.  
When all nodes in the CAD have the PTF applied and clustering is
started, CAD goes through its conversion of replacing the old pa
entry with the new one (different format but same password) for
profile managed by the CAD.                                    
                                                               
It was discovered that the conversion was not completing across
all of the nodes.                                              
                                                               
This APAR will be used to create a program that can be called  
on each independent node in the cluster to perform the conversio
of the password entry on the MREs in the admin domain.          

Problem Summary

Recently there was a new feature added to the cluster          
administrative domain (CAD) via cluster modification level 3 to
support replicating encrypted passwords in current supported    
releases of PowerHA. When all nodes in the CAD have the PTF    
applied and clustering is started, CAD goes through its        
conversion of replacing the old password entry with the new one
(different format but same password) for each profile managed by
the CAD.                                                        
                                                               
It was discovered that the conversion was not completing across
all of the nodes.                                              
                                                               
This APAR will be used to create a program that can be called on
each independent node in the cluster to perform the conversion  
of the password entry on the MREs in the CAD.                  

Problem Conclusion

Program QSYS/QCSTADFIX has been enhanced to correct cluster    
administrative domain inconsistent global status of user        
profiles when upgrading from cluster modification level 2      
to 3 which resulted in encrypted password conversion.          
                                                               
Restrictions:                                                  
- The program is not allowed to run while cluster resource      
  services is active                                            
- The caller must have *ALLOBJ authority                        
                                                               
It is recommended to:                                          
1. Apply this PTF to all nodes in the cluster.                  
2. End all CRGs to prevent a failover.                          
3. End clustering on all nodes in the cluster.                  
4. Call the program: CALL PGM(QCSTADFIX) PARM(*FIXENCPWD)      
   on each node in the cluster administrative domain.          
   Note that the program may take several minutes to complete.  
   When the program has completed, a summary will be given      
   indicating how many password attributes were successfully    
   converted, skipped, or failed. If any warnings or failures  
   occurred, these will be logged to the joblog of the caller.  
5. You may see a CPF9898 message warning "*USRPRF &1 GLOBAL    
   VALUE FOR PASSWORD ATTRIBUTE IS INCOMPATIBLE FOR ENCRYPTED  
   PASSWORD CONVERSION". This means that the monitored          
   resource entry for that user profile was inconsistent        
   before the cluster modification level increased or there    
   is a pending change to the user profile.                    
6. Choose the node with the largest number of successful        
   password conversions. Start this cluster node first. If      
   all cluster administrative domain nodes ran the QCSTADFIX    
   program and reported all successes (no failures or          
   warnings), then it does not matter which node you choose    
   to start first.                                              
7. Start all other nodes in the cluster.                        
8. Start the cluster administrative domain from any node.      
9. If no warning or failure messages were present on any        
   cluster administrative domain nodes after calling the        
   QCSTADFIX program, then all *USRPRF monitored resource      
   entries should be consistent after the cluster              
   administrative domain has completely started.                
10. Any user profiles for which a warning or failure message    
    was sent may still be inconsistent. This can be corrected  
    by either changing the password of the user profile or      
    removing the monitored resource entry from the cluster      
    administrative domain and then adding the monitored        
    resource entry for this user profile.                      

Temporary Fix

                                                               

Comments

                                                               

Circumvention


PTFs Available

R720 SI78581  1000

R730 SI79856  1000

R740 SI72194  0303

Affected Modules


         
         

Affected Publications

Summary Information

Status............................  CLOSED PER
HIPER.............................  No
Component.........................  5770SS100
Failing Module....................  RCHMGR
Reported Release..................  R740
Duplicate Of......................  




IBM i Support

IBM disclaims all warranties, whether express or implied, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose. By furnishing this document, IBM grants no licenses to any related patents or copyrights. Copyright © 1996,1997,1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011, 2012, 2013, 2014, 2015, 2016, 2017, 2018, 2019, 2020, 2021, 2022 IBM Corporation. Any trademarks and product or brand names referenced in this document are the property of their respective owners. Consult the Terms of use link for trademark information

[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Platform":[{"code":"PF012","label":"IBM i"}],"Version":"7.2.0; 7.3.0; 7.4.0","Product":{"code":"SWG60","label":"IBM i"},"Component":"5770SS1","Edition":"","Line of Business":{"code":"LOB57","label":"Power"}}]

Document Information

Modified date:
20 May 2022